Title: [258507] trunk/Source/WebKit
- Revision
- 258507
- Author
- ddkil...@apple.com
- Date
- 2020-03-16 10:24:59 -0700 (Mon, 16 Mar 2020)
Log Message
WebPage::GetDataSelectionForPasteboard should validate its `size` variable
<https://webkit.org/b/209092>
<rdar://problem/60181345>
Reviewed by Brent Fulgham.
* Platform/IPC/Connection.h:
(MESSAGE_CHECK_WITH_RETURN_VALUE_BASE): Add.
- Variant of MESSAGE_CHECK_BASE() that takes a return value.
* UIProcess/mac/WebPageProxyMac.mm:
(MESSAGE_CHECK_WITH_RETURN_VALUE): Add.
(WebKit::WebPageProxy::dataSelectionForPasteboard):
- Use new MESSAGE_CHECK_WITH_RETURN_VALUE() macro to update
check for handle.isNull() and to add check for `size`
variable.
- Add static_cast<size_t>() to `size` variable to denote type
change.
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (258506 => 258507)
--- trunk/Source/WebKit/ChangeLog 2020-03-16 16:51:06 UTC (rev 258506)
+++ trunk/Source/WebKit/ChangeLog 2020-03-16 17:24:59 UTC (rev 258507)
@@ -1,3 +1,23 @@
+2020-03-16 David Kilzer <ddkil...@apple.com>
+
+ WebPage::GetDataSelectionForPasteboard should validate its `size` variable
+ <https://webkit.org/b/209092>
+ <rdar://problem/60181345>
+
+ Reviewed by Brent Fulgham.
+
+ * Platform/IPC/Connection.h:
+ (MESSAGE_CHECK_WITH_RETURN_VALUE_BASE): Add.
+ - Variant of MESSAGE_CHECK_BASE() that takes a return value.
+ * UIProcess/mac/WebPageProxyMac.mm:
+ (MESSAGE_CHECK_WITH_RETURN_VALUE): Add.
+ (WebKit::WebPageProxy::dataSelectionForPasteboard):
+ - Use new MESSAGE_CHECK_WITH_RETURN_VALUE() macro to update
+ check for handle.isNull() and to add check for `size`
+ variable.
+ - Add static_cast<size_t>() to `size` variable to denote type
+ change.
+
2020-03-16 Youenn Fablet <you...@apple.com>
Apply rotation at source level if WebRTC sink ask so
Modified: trunk/Source/WebKit/Platform/IPC/Connection.h (258506 => 258507)
--- trunk/Source/WebKit/Platform/IPC/Connection.h 2020-03-16 16:51:06 UTC (rev 258506)
+++ trunk/Source/WebKit/Platform/IPC/Connection.h 2020-03-16 17:24:59 UTC (rev 258507)
@@ -87,6 +87,14 @@
} \
while (0)
+#define MESSAGE_CHECK_WITH_RETURN_VALUE_BASE(assertion, connection, returnValue) do \
+ if (!(assertion)) { \
+ ASSERT(assertion); \
+ (connection)->markCurrentlyDispatchedMessageAsInvalid(); \
+ return (returnValue); \
+ } \
+while (0)
+
template<typename AsyncReplyResult> struct AsyncReplyError {
static AsyncReplyResult create() { return AsyncReplyResult { }; };
};
Modified: trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm (258506 => 258507)
--- trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm 2020-03-16 16:51:06 UTC (rev 258506)
+++ trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm 2020-03-16 17:24:59 UTC (rev 258507)
@@ -31,6 +31,7 @@
#import "APIUIClient.h"
#import "AttributedString.h"
#import "ColorSpaceData.h"
+#import "Connection.h"
#import "DataReference.h"
#import "EditorState.h"
#import "FontInfo.h"
@@ -67,6 +68,7 @@
#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process().connection())
#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(checkURLReceivedFromCurrentOrPreviousWebProcess(m_process, url), m_process->connection())
+#define MESSAGE_CHECK_WITH_RETURN_VALUE(assertion, returnValue) MESSAGE_CHECK_WITH_RETURN_VALUE_BASE(assertion, process().connection(), returnValue)
@interface NSApplication ()
- (BOOL)isSpeaking;
@@ -252,12 +254,14 @@
const Seconds messageTimeout(20);
process().sendSync(Messages::WebPage::GetDataSelectionForPasteboard(pasteboardType),
Messages::WebPage::GetDataSelectionForPasteboard::Reply(handle, size), m_webPageID, messageTimeout);
- if (handle.isNull())
- return nullptr;
- RefPtr<SharedMemory> sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
+ MESSAGE_CHECK_WITH_RETURN_VALUE(!handle.isNull(), nullptr);
+ // SharedMemory::Handle::size() is rounded up to the nearest page.
+ MESSAGE_CHECK_WITH_RETURN_VALUE(size <= handle.size(), nullptr);
+
+ auto sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
if (!sharedMemoryBuffer)
return nullptr;
- return SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), size);
+ return SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), static_cast<size_t>(size));
}
bool WebPageProxy::readSelectionFromPasteboard(const String& pasteboardName)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
