Changeset 217126 in webkit
- Timestamp:
- May 19, 2017, 7:45:49 AM (7 years ago)
- Location:
- trunk/Source/WebKit2
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
Platform/IPC/unix/ConnectionUnix.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit2/ChangeLog
r217123 r217126 1 2017-05-19 Carlos Garcia Campos <cgarcia@igalia.com> 2 3 Add more input validation in Connection::processMessage() 4 https://bugs.webkit.org/show_bug.cgi?id=171682 5 6 Reviewed by Michael Catanzaro. 7 8 Check limits of attachments and message size. Credit to Nathan Crandall for reporting this issue and submitting 9 an equivalent fix. 10 11 * Platform/IPC/unix/ConnectionUnix.cpp: 12 (IPC::Connection::processMessage): 13 1 14 2017-05-19 Carlos Garcia Campos <cgarcia@igalia.com> 2 15 -
trunk/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp
r213576 r217126 133 133 messageData += sizeof(messageInfo); 134 134 135 if (messageInfo.attachmentCount() > attachmentMaxAmount || (!messageInfo.isBodyOutOfLine() && messageInfo.bodySize() > messageMaxSize)) { 136 ASSERT_NOT_REACHED(); 137 return false; 138 } 139 135 140 size_t messageLength = sizeof(MessageInfo) + messageInfo.attachmentCount() * sizeof(AttachmentInfo) + (messageInfo.isBodyOutOfLine() ? 0 : messageInfo.bodySize()); 136 141 if (m_readBuffer.size() < messageLength)
Note:
See TracChangeset
for help on using the changeset viewer.