Changeset 196307 in webkit

Timestamp:

Feb 9, 2016 12:23:08 AM (7 years ago)

Author:

Carlos Garcia Campos

Message:

possible buffer overrun in Connection::processMessage of Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp
​https://bugs.webkit.org/show_bug.cgi?id=153637

Patch by Fujii Hironori <​Hironori.Fujii@jp.sony.com> on 2016-02-09
Reviewed by Carlos Garcia Campos.

• Platform/IPC/unix/ConnectionUnix.cpp:

(IPC::Connection::processMessage): Fix invalid arguments of memmove.

Location:

trunk/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• Platform/IPC/unix/ConnectionUnix.cpp (modified) (1 diff)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2016-02-09  Fujii Hironori  <Hironori.Fujii@jp.sony.com>
+
+        possible buffer overrun in Connection::processMessage of Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=153637
+
+        Reviewed by Carlos Garcia Campos.
+
+        * Platform/IPC/unix/ConnectionUnix.cpp:
+        (IPC::Connection::processMessage): Fix invalid arguments of memmove.
+
 2016-02-09  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp

@@ -260 +260 @@
     if (attachmentFileDescriptorCount) {
         if (m_fileDescriptorsSize > attachmentFileDescriptorCount) {
-            size_t fileDescriptorsLength = attachmentFileDescriptorCount * sizeof(int);
-            memmove(m_fileDescriptors.data(), m_fileDescriptors.data() + fileDescriptorsLength, m_fileDescriptorsSize - fileDescriptorsLength);
-            m_fileDescriptorsSize -= fileDescriptorsLength;
+            memmove(m_fileDescriptors.data(), m_fileDescriptors.data() + attachmentFileDescriptorCount, (m_fileDescriptorsSize - attachmentFileDescriptorCount) * sizeof(int));
+            m_fileDescriptorsSize -= attachmentFileDescriptorCount;
         } else
             m_fileDescriptorsSize = 0;