Title: [258401] trunk/Source/WebKit
- Revision
- 258401
- Author
- ddkil...@apple.com
- Date
- 2020-03-13 09:22:59 -0700 (Fri, 13 Mar 2020)
Log Message
WebPageProxy::SetPromisedDataForImage should validate its `imageSize` and `archiveSize` parameters
<https://webkit.org/b/209029>
<rdar://problem/60181394>
Reviewed by Youenn Fablet.
* UIProcess/mac/WebPageProxyMac.mm:
(WebKit::WebPageProxy::setPromisedDataForImage):
- Validate `imageSize` and `archiveSize` using MESSAGE_CHECK().
- Add static_cast<size_t>() to `imageSize` and `archiveSize`
parameters to denote type change.
- Add nullptr check for SharedMemory::map() result with
`archiveHandle`.
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (258400 => 258401)
--- trunk/Source/WebKit/ChangeLog 2020-03-13 16:11:34 UTC (rev 258400)
+++ trunk/Source/WebKit/ChangeLog 2020-03-13 16:22:59 UTC (rev 258401)
@@ -1,3 +1,19 @@
+2020-03-13 David Kilzer <ddkil...@apple.com>
+
+ WebPageProxy::SetPromisedDataForImage should validate its `imageSize` and `archiveSize` parameters
+ <https://webkit.org/b/209029>
+ <rdar://problem/60181394>
+
+ Reviewed by Youenn Fablet.
+
+ * UIProcess/mac/WebPageProxyMac.mm:
+ (WebKit::WebPageProxy::setPromisedDataForImage):
+ - Validate `imageSize` and `archiveSize` using MESSAGE_CHECK().
+ - Add static_cast<size_t>() to `imageSize` and `archiveSize`
+ parameters to denote type change.
+ - Add nullptr check for SharedMemory::map() result with
+ `archiveHandle`.
+
2020-03-13 Carlos Garcia Campos <cgar...@igalia.com>
[SOUP] Notify web process about WebSocket handshake request and response
Modified: trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm (258400 => 258401)
--- trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm 2020-03-13 16:11:34 UTC (rev 258400)
+++ trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm 2020-03-13 16:22:59 UTC (rev 258401)
@@ -286,17 +286,23 @@
MESSAGE_CHECK_URL(url);
MESSAGE_CHECK_URL(visibleURL);
MESSAGE_CHECK(!imageHandle.isNull());
+ // SharedMemory::Handle::size() is rounded up to the nearest page.
+ MESSAGE_CHECK(imageSize && imageSize <= imageHandle.size());
- RefPtr<SharedMemory> sharedMemoryImage = SharedMemory::map(imageHandle, SharedMemory::Protection::ReadOnly);
+ auto sharedMemoryImage = SharedMemory::map(imageHandle, SharedMemory::Protection::ReadOnly);
if (!sharedMemoryImage)
return;
- auto imageBuffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryImage->data()), imageSize);
+ auto imageBuffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryImage->data()), static_cast<size_t>(imageSize));
RefPtr<SharedBuffer> archiveBuffer;
-
+
if (!archiveHandle.isNull()) {
- RefPtr<SharedMemory> sharedMemoryArchive = SharedMemory::map(archiveHandle, SharedMemory::Protection::ReadOnly);
- archiveBuffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryArchive->data()), archiveSize);
+ // SharedMemory::Handle::size() is rounded up to the nearest page.
+ MESSAGE_CHECK(archiveSize && archiveSize <= archiveHandle.size());
+ auto sharedMemoryArchive = SharedMemory::map(archiveHandle, SharedMemory::Protection::ReadOnly);
+ if (!sharedMemoryArchive)
+ return;
+ archiveBuffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryArchive->data()), static_cast<size_t>(archiveSize));
}
pageClient().setPromisedDataForImage(pasteboardName, WTFMove(imageBuffer), filename, extension, title, url, visibleURL, WTFMove(archiveBuffer));
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
