Changeset 217126 in webkit


Ignore:
Timestamp:
May 19, 2017, 7:45:49 AM (7 years ago)
Author:
Carlos Garcia Campos
Message:

Add more input validation in Connection::processMessage()
https://bugs.webkit.org/show_bug.cgi?id=171682

Reviewed by Michael Catanzaro.

Check limits of attachments and message size. Credit to Nathan Crandall for reporting this issue and submitting
an equivalent fix.

  • Platform/IPC/unix/ConnectionUnix.cpp:

(IPC::Connection::processMessage):

Location:
trunk/Source/WebKit2
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebKit2/ChangeLog

    r217123 r217126  
     12017-05-19  Carlos Garcia Campos  <cgarcia@igalia.com>
     2
     3        Add more input validation in Connection::processMessage()
     4        https://bugs.webkit.org/show_bug.cgi?id=171682
     5
     6        Reviewed by Michael Catanzaro.
     7
     8        Check limits of attachments and message size. Credit to Nathan Crandall for reporting this issue and submitting
     9        an equivalent fix.
     10
     11        * Platform/IPC/unix/ConnectionUnix.cpp:
     12        (IPC::Connection::processMessage):
     13
    1142017-05-19  Carlos Garcia Campos  <cgarcia@igalia.com>
    215
  • trunk/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp

    r213576 r217126  
    133133    messageData += sizeof(messageInfo);
    134134
     135    if (messageInfo.attachmentCount() > attachmentMaxAmount || (!messageInfo.isBodyOutOfLine() && messageInfo.bodySize() > messageMaxSize)) {
     136        ASSERT_NOT_REACHED();
     137        return false;
     138    }
     139
    135140    size_t messageLength = sizeof(MessageInfo) + messageInfo.attachmentCount() * sizeof(AttachmentInfo) + (messageInfo.isBodyOutOfLine() ? 0 : messageInfo.bodySize());
    136141    if (m_readBuffer.size() < messageLength)
Note: See TracChangeset for help on using the changeset viewer.