Title: [277655] trunk/Source/WebKit
- Revision
- 277655
- Author
- cdu...@apple.com
- Date
- 2021-05-18 09:07:04 -0700 (Tue, 18 May 2021)
Log Message
ReadOnlySharedRingBufferStorage::updateFrameBounds() should validate boundsBufferSize
https://bugs.webkit.org/show_bug.cgi?id=225918
Reviewed by Youenn Fablet.
ReadOnlySharedRingBufferStorage::updateFrameBounds() should validate boundsBufferSize since the
process writing the buffer size on the other end may not be trusted.
* Shared/Cocoa/SharedRingBufferStorage.cpp:
(WebKit::ReadOnlySharedRingBufferStorage::updateFrameBounds):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (277654 => 277655)
--- trunk/Source/WebKit/ChangeLog 2021-05-18 15:55:15 UTC (rev 277654)
+++ trunk/Source/WebKit/ChangeLog 2021-05-18 16:07:04 UTC (rev 277655)
@@ -1,3 +1,16 @@
+2021-05-18 Chris Dumez <cdu...@apple.com>
+
+ ReadOnlySharedRingBufferStorage::updateFrameBounds() should validate boundsBufferSize
+ https://bugs.webkit.org/show_bug.cgi?id=225918
+
+ Reviewed by Youenn Fablet.
+
+ ReadOnlySharedRingBufferStorage::updateFrameBounds() should validate boundsBufferSize since the
+ process writing the buffer size on the other end may not be trusted.
+
+ * Shared/Cocoa/SharedRingBufferStorage.cpp:
+ (WebKit::ReadOnlySharedRingBufferStorage::updateFrameBounds):
+
2021-05-18 Youenn Fablet <you...@apple.com>
Resurrect WKWebView media controls API removed in https://bugs.webkit.org/show_bug.cgi?id=221929
Modified: trunk/Source/WebKit/Shared/Cocoa/SharedRingBufferStorage.cpp (277654 => 277655)
--- trunk/Source/WebKit/Shared/Cocoa/SharedRingBufferStorage.cpp 2021-05-18 15:55:15 UTC (rev 277654)
+++ trunk/Source/WebKit/Shared/Cocoa/SharedRingBufferStorage.cpp 2021-05-18 16:07:04 UTC (rev 277655)
@@ -70,8 +70,12 @@
m_startFrame = m_endFrame = 0;
return;
}
-
- auto pair = sharedBounds->boundsBuffer[sharedBounds->boundsBufferIndex.load(std::memory_order_acquire)];
+ unsigned boundsBufferIndex = sharedBounds->boundsBufferIndex.load(std::memory_order_acquire);
+ if (UNLIKELY(boundsBufferIndex >= boundsBufferSize)) {
+ m_startFrame = m_endFrame = 0;
+ return;
+ }
+ auto pair = sharedBounds->boundsBuffer[boundsBufferIndex];
m_startFrame = pair.first;
m_endFrame = pair.second;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes