[webkit-changes] [259662] branches/safari-609.2.1.2-branch/Source/WebKit

[alancoon]

Title: [259662] branches/safari-609.2.1.2-branch/Source/WebKit

Revision

259662

Author

alanc...@apple.com

Date

2020-04-07 13:03:14 -0700 (Tue, 07 Apr 2020)

Log Message

Apply patch. rdar://problem/61231881

Modified Paths

• branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog
• branches/safari-609.2.1.2-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm

Diff

Modified: branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog (259661 => 259662)

--- branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog	2020-04-07 20:03:10 UTC (rev 259661)
+++ branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog	2020-04-07 20:03:14 UTC (rev 259662)
@@ -1,3 +1,25 @@
+2020-04-07  Russell Epstein  <repst...@apple.com>
+
+        Apply patch. rdar://problem/61231881
+
+    2020-04-07  David Kilzer  <ddkil...@apple.com>
+
+            Cherry-pick r258374. rdar://problem/60396281
+
+        2020-03-12  David Kilzer  <ddkil...@apple.com>
+
+            WebPageProxy::SaveImageToLibrary should validate its `imageSize` parameter
+            <https://webkit.org/b/209012>
+            <rdar://problem/60181295>
+
+            Reviewed by Chris Dumez.
+
+            * UIProcess/ios/WebPageProxyIOS.mm:
+            (WebKit::WebPageProxy::saveImageToLibrary):
+            - Validate upper bound of `imageSize` parameter.
+            - Add static_cast<size_t>() to `imageSize` parameter to denote
+              type change.
+
 2020-04-07  Alan Coon  <alanc...@apple.com>
 
         Apply patch. rdar://problem/61404555

Modified: branches/safari-609.2.1.2-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm (259661 => 259662)

--- branches/safari-609.2.1.2-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm	2020-04-07 20:03:10 UTC (rev 259661)
+++ branches/safari-609.2.1.2-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm	2020-04-07 20:03:14 UTC (rev 259662)
@@ -647,13 +647,14 @@
 void WebPageProxy::saveImageToLibrary(const SharedMemory::Handle& imageHandle, uint64_t imageSize)
 {
     MESSAGE_CHECK(!imageHandle.isNull());
-    MESSAGE_CHECK(imageSize);
+    // SharedMemory::Handle::size() is rounded up to the nearest page.
+    MESSAGE_CHECK(imageSize && imageSize <= imageHandle.size());
 
     auto sharedMemoryBuffer = SharedMemory::map(imageHandle, SharedMemory::Protection::ReadOnly);
     if (!sharedMemoryBuffer)
         return;
 
-    auto buffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryBuffer->data()), imageSize);
+    auto buffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryBuffer->data()), static_cast<size_t>(imageSize));
     pageClient().saveImageToLibrary(WTFMove(buffer));
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes