Changeset 145435 in webkit

Timestamp:

Mar 11, 2013 4:57:21 PM (11 years ago)

Author:

alecflett@chromium.org

Message:

IndexedDB: Protect against key prefix overflows
​https://bugs.webkit.org/show_bug.cgi?id=111138

Reviewed by Tony Chang.

Source/WebCore:

This reworks the boundary checking for all databaseId,
objectStoreId, and indexId, including negative and
zero-based ids. All entrypoints into IDBLevelDBCoding
are protected with explicit checks and all internal
uses of KeyPrefix are protected with ASSERTs in the
various constructors.

Tests: WebKit unit tests IDBBackingStoreTest.cpp in WebKit/chromium

• Modules/indexeddb/IDBBackingStore.h: Make all public methods boolean-based for errors.
• Modules/indexeddb/IDBLevelDBCoding.h: Add methods for checking databaseId, objectStoreId, and indexId.

Source/WebKit/chromium:

Add tests for invalid indexIds in basic get/put operations.

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/Modules/indexeddb/IDBBackingStore.cpp (modified) (22 diffs)
• WebCore/Modules/indexeddb/IDBBackingStore.h (modified) (3 diffs)
• WebCore/Modules/indexeddb/IDBDatabaseBackendImpl.cpp (modified) (7 diffs)
• WebCore/Modules/indexeddb/IDBLevelDBCoding.cpp (modified) (18 diffs)
• WebCore/Modules/indexeddb/IDBLevelDBCoding.h (modified) (4 diffs)
• WebCore/Modules/indexeddb/IDBObjectStoreBackendImpl.cpp (modified) (1 diff)
• WebKit/chromium/ChangeLog (modified) (1 diff)
• WebKit/chromium/tests/IDBBackingStoreTest.cpp (modified) (8 diffs)
• WebKit/chromium/tests/IDBFakeBackingStore.h (modified) (2 diffs)
• WebKit/chromium/tests/IDBLevelDBCodingTest.cpp (modified) (2 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-03-11  Alec Flett  <alecflett@chromium.org>
+
+        IndexedDB: Protect against key prefix overflows
+        https://bugs.webkit.org/show_bug.cgi?id=111138
+
+        Reviewed by Tony Chang.
+
+        This reworks the boundary checking for all databaseId,
+        objectStoreId, and indexId, including negative and
+        zero-based ids. All entrypoints into IDBLevelDBCoding
+        are protected with explicit checks and all internal
+        uses of KeyPrefix are protected with ASSERTs in the
+        various constructors.
+
+        Tests: WebKit unit tests IDBBackingStoreTest.cpp in WebKit/chromium
+
+        * Modules/indexeddb/IDBBackingStore.h: Make all public methods boolean-based for errors.
+        * Modules/indexeddb/IDBLevelDBCoding.h: Add methods for checking databaseId, objectStoreId, and indexId.
+
 2013-03-11  Philip Rogers  <pdr@google.com>
 

trunk/Source/WebCore/Modules/indexeddb/IDBBackingStore.cpp

@@ -637 +637 @@
 
 // FIXME: This should do some error handling rather than plowing ahead when bad data is encountered.
-void IDBBackingStore::getObjectStores(int64_t databaseId, IDBDatabaseMetadata::ObjectStoreMap* objectStores)
+bool IDBBackingStore::getObjectStores(int64_t databaseId, IDBDatabaseMetadata::ObjectStoreMap* objectStores)
 {
     IDB_TRACE("IDBBackingStore::getObjectStores");
+    if (!KeyPrefix::isValidDatabaseId(databaseId))
+        return false;
     const Vector<char> startKey = ObjectStoreMetaDataKey::encode(databaseId, 1, 0);
     const Vector<char> stopKey = ObjectStoreMetaDataKey::encodeMaxKey(databaseId);
@@ -725 +727 @@
 
         IDBObjectStoreMetadata metadata(objectStoreName, objectStoreId, keyPath, autoIncrement, maxIndexId);
-        getIndexes(databaseId, objectStoreId, &metadata.indexes);
+        if (!getIndexes(databaseId, objectStoreId, &metadata.indexes))
+            return false;
         objectStores->set(objectStoreId, metadata);
     }
+    return true;
 }
 
@@ -751 +755 @@
 {
     IDB_TRACE("IDBBackingStore::createObjectStore");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId))
+        return false;
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
     if (!setMaxObjectStoreId(levelDBTransaction, databaseId, objectStoreId))
@@ -780 +786 @@
 {
     IDB_TRACE("IDBBackingStore::deleteObjectStore");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId))
+        return false;
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
 
@@ -801 +809 @@
     deleteRange(levelDBTransaction, IndexMetaDataKey::encode(databaseId, objectStoreId, 0, 0), IndexMetaDataKey::encodeMaxKey(databaseId, objectStoreId));
 
-    clearObjectStore(transaction, databaseId, objectStoreId);
-    return true;
+    return clearObjectStore(transaction, databaseId, objectStoreId);
 }
 
@@ -808 +815 @@
 {
     IDB_TRACE("IDBBackingStore::getRecord");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId))
+        return false;
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
 
@@ -864 +873 @@
 {
     IDB_TRACE("IDBBackingStore::putRecord");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId))
+        return false;
     ASSERT(key.isValid());
+
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
     int64_t version = -1;
@@ -888 +900 @@
 }
 
-void IDBBackingStore::clearObjectStore(IDBBackingStore::Transaction* transaction, int64_t databaseId, int64_t objectStoreId)
+bool IDBBackingStore::clearObjectStore(IDBBackingStore::Transaction* transaction, int64_t databaseId, int64_t objectStoreId)
 {
     IDB_TRACE("IDBBackingStore::clearObjectStore");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId))
+        return false;
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
-    const Vector<char> startKey = KeyPrefix(databaseId, objectStoreId, 0).encode();
-    const Vector<char> stopKey = KeyPrefix(databaseId, objectStoreId + 1, 0).encode();
+    const Vector<char> startKey = KeyPrefix(databaseId, objectStoreId).encode();
+    const Vector<char> stopKey = KeyPrefix(databaseId, objectStoreId + 1).encode();
 
     deleteRange(levelDBTransaction, startKey, stopKey);
-}
-
-void IDBBackingStore::deleteRecord(IDBBackingStore::Transaction* transaction, int64_t databaseId, int64_t objectStoreId, const RecordIdentifier& recordIdentifier)
+    return true;
+}
+
+bool IDBBackingStore::deleteRecord(IDBBackingStore::Transaction* transaction, int64_t databaseId, int64_t objectStoreId, const RecordIdentifier& recordIdentifier)
 {
     IDB_TRACE("IDBBackingStore::deleteRecord");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId))
+        return false;
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
 
@@ -908 +925 @@
     const Vector<char> existsEntryKey = ExistsEntryKey::encode(databaseId, objectStoreId, recordIdentifier.primaryKey());
     levelDBTransaction->remove(existsEntryKey);
+    return true;
 }
 
@@ -913 +931 @@
 bool IDBBackingStore::getKeyGeneratorCurrentNumber(IDBBackingStore::Transaction* transaction, int64_t databaseId, int64_t objectStoreId, int64_t& keyGeneratorCurrentNumber)
 {
+    if (!KeyPrefix::validIds(databaseId, objectStoreId))
+        return false;
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
 
@@ -961 +981 @@
 bool IDBBackingStore::maybeUpdateKeyGeneratorCurrentNumber(IDBBackingStore::Transaction* transaction, int64_t databaseId, int64_t objectStoreId, int64_t newNumber, bool checkCurrent)
 {
+    if (!KeyPrefix::validIds(databaseId, objectStoreId))
+        return false;
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
 
@@ -980 +1002 @@
 {
     IDB_TRACE("IDBBackingStore::keyExistsInObjectStore");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId))
+        return false;
     found = false;
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
@@ -1018 +1042 @@
 
 // FIXME: This should do some error handling rather than plowing ahead when bad data is encountered.
-void IDBBackingStore::getIndexes(int64_t databaseId, int64_t objectStoreId, IDBObjectStoreMetadata::IndexMap* indexes)
+bool IDBBackingStore::getIndexes(int64_t databaseId, int64_t objectStoreId, IDBObjectStoreMetadata::IndexMap* indexes)
 {
     IDB_TRACE("IDBBackingStore::getIndexes");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId))
+        return false;
     const Vector<char> startKey = IndexMetaDataKey::encode(databaseId, objectStoreId, 0, 0);
     const Vector<char> stopKey = IndexMetaDataKey::encode(databaseId, objectStoreId + 1, 0, 0);
@@ -1069 +1095 @@
         indexes->set(indexId, IDBIndexMetadata(indexName, indexId, keyPath, indexUnique, indexMultiEntry));
     }
+    return true;
 }
 
@@ -1096 +1123 @@
 {
     IDB_TRACE("IDBBackingStore::createIndex");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId, indexId))
+        return false;
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
     if (!setMaxIndexId(levelDBTransaction, databaseId, objectStoreId, indexId))
@@ -1112 +1141 @@
 }
 
-void IDBBackingStore::deleteIndex(IDBBackingStore::Transaction* transaction, int64_t databaseId, int64_t objectStoreId, int64_t indexId)
+bool IDBBackingStore::deleteIndex(IDBBackingStore::Transaction* transaction, int64_t databaseId, int64_t objectStoreId, int64_t indexId)
 {
     IDB_TRACE("IDBBackingStore::deleteIndex");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId, indexId))
+        return false;
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
 
@@ -1124 +1155 @@
     const Vector<char> indexDataEnd = IndexDataKey::encodeMaxKey(databaseId, objectStoreId, indexId);
     deleteRange(levelDBTransaction, indexDataStart, indexDataEnd);
-}
-
-void IDBBackingStore::putIndexDataForRecord(IDBBackingStore::Transaction* transaction, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const IDBKey& key, const RecordIdentifier& recordIdentifier)
+    return true;
+}
+
+bool IDBBackingStore::putIndexDataForRecord(IDBBackingStore::Transaction* transaction, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const IDBKey& key, const RecordIdentifier& recordIdentifier)
 {
     IDB_TRACE("IDBBackingStore::putIndexDataForRecord");
     ASSERT(key.isValid());
-    ASSERT(indexId >= MinimumIndexId);
+    if (!KeyPrefix::validIds(databaseId, objectStoreId, indexId))
+        return false;
 
     LevelDBTransaction* levelDBTransaction = IDBBackingStore::Transaction::levelDBTransactionFrom(transaction);
@@ -1140 +1173 @@
 
     levelDBTransaction->put(indexDataKey, data);
+    return true;
 }
 
@@ -1190 +1224 @@
 {
     IDB_TRACE("IDBBackingStore::findKeyInIndex");
+    ASSERT(KeyPrefix::validIds(databaseId, objectStoreId, indexId));
+
     ASSERT(foundEncodedPrimaryKey.isEmpty());
     found = false;
@@ -1230 +1266 @@
 {
     IDB_TRACE("IDBBackingStore::getPrimaryKeyViaIndex");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId, indexId))
+        return false;
 
     bool found = false;
@@ -1249 +1287 @@
 {
     IDB_TRACE("IDBBackingStore::keyExistsInIndex");
+    if (!KeyPrefix::validIds(databaseId, objectStoreId, indexId))
+        return false;
 
     exists = false;
@@ -1763 +1803 @@
 {
     ASSERT(transaction);
+    if (!KeyPrefix::validIds(databaseId, objectStoreId, indexId))
+        return false;
+
     bool lowerBound = range && range->lower();
     bool upperBound = range && range->upper();

trunk/Source/WebCore/Modules/indexeddb/IDBBackingStore.h

@@ -69 +69 @@
     virtual bool deleteDatabase(const String& name);
 
-    void getObjectStores(int64_t databaseId, IDBDatabaseMetadata::ObjectStoreMap*);
+    bool getObjectStores(int64_t databaseId, IDBDatabaseMetadata::ObjectStoreMap*) WARN_UNUSED_RETURN;
     virtual bool createObjectStore(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, const String& name, const IDBKeyPath&, bool autoIncrement);
     virtual bool deleteObjectStore(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId) WARN_UNUSED_RETURN;
@@ -90 +90 @@
     virtual bool getRecord(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, const IDBKey&, Vector<char>& record) WARN_UNUSED_RETURN;
     virtual bool putRecord(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, const IDBKey&, PassRefPtr<SharedBuffer> value, RecordIdentifier*) WARN_UNUSED_RETURN;
-    virtual void clearObjectStore(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId);
-    virtual void deleteRecord(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, const RecordIdentifier&);
+    virtual bool clearObjectStore(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId) WARN_UNUSED_RETURN;
+    virtual bool deleteRecord(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, const RecordIdentifier&) WARN_UNUSED_RETURN;
     virtual bool getKeyGeneratorCurrentNumber(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t& currentNumber) WARN_UNUSED_RETURN;
     virtual bool maybeUpdateKeyGeneratorCurrentNumber(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t newState, bool checkCurrent) WARN_UNUSED_RETURN;
     virtual bool keyExistsInObjectStore(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, const IDBKey&, RecordIdentifier* foundRecordIdentifier, bool& found) WARN_UNUSED_RETURN;
 
-    virtual bool createIndex(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const String& name, const IDBKeyPath&, bool isUnique, bool isMultiEntry);
-    virtual void deleteIndex(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId);
-    virtual void putIndexDataForRecord(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const IDBKey&, const RecordIdentifier&);
+    virtual bool createIndex(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const String& name, const IDBKeyPath&, bool isUnique, bool isMultiEntry) WARN_UNUSED_RETURN;
+    virtual bool deleteIndex(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId) WARN_UNUSED_RETURN;
+    virtual bool putIndexDataForRecord(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const IDBKey&, const RecordIdentifier&) WARN_UNUSED_RETURN;
     virtual bool getPrimaryKeyViaIndex(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const IDBKey&, RefPtr<IDBKey>& primaryKey) WARN_UNUSED_RETURN;
     virtual bool keyExistsInIndex(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const IDBKey& indexKey, RefPtr<IDBKey>& foundPrimaryKey, bool& exists) WARN_UNUSED_RETURN;
@@ -179 +179 @@
 private:
     bool findKeyInIndex(IDBBackingStore::Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const IDBKey&, Vector<char>& foundEncodedPrimaryKey, bool& found);
-    void getIndexes(int64_t databaseId, int64_t objectStoreId, IDBObjectStoreMetadata::IndexMap*);
+    bool getIndexes(int64_t databaseId, int64_t objectStoreId, IDBObjectStoreMetadata::IndexMap*) WARN_UNUSED_RETURN;
 
     String m_identifier;

trunk/Source/WebCore/Modules/indexeddb/IDBDatabaseBackendImpl.cpp

@@ -180 +180 @@
 class DeleteIndexOperation : public IDBTransactionBackendImpl::Operation {
 public:
-    static PassOwnPtr<IDBTransactionBackendImpl::Operation> create(PassRefPtr<IDBBackingStore> backingStore, int64_t objectStoreId, int64_t indexId)
-    {
-        return adoptPtr(new DeleteIndexOperation(backingStore, objectStoreId, indexId));
-    }
-    virtual void perform(IDBTransactionBackendImpl*);
-private:
-    DeleteIndexOperation(PassRefPtr<IDBBackingStore> backingStore, int64_t objectStoreId, int64_t indexId)
+    static PassOwnPtr<IDBTransactionBackendImpl::Operation> create(PassRefPtr<IDBBackingStore> backingStore, int64_t objectStoreId, const IDBIndexMetadata& indexMetadata)
+    {
+        return adoptPtr(new DeleteIndexOperation(backingStore, objectStoreId, indexMetadata));
+    }
+    virtual void perform(IDBTransactionBackendImpl*);
+private:
+    DeleteIndexOperation(PassRefPtr<IDBBackingStore> backingStore, int64_t objectStoreId, const IDBIndexMetadata& indexMetadata)
         : m_backingStore(backingStore)
         , m_objectStoreId(objectStoreId)
-        , m_indexId(indexId)
+        , m_indexMetadata(indexMetadata)
     {
     }
@@ -195 +195 @@
     const RefPtr<IDBBackingStore> m_backingStore;
     const int64_t m_objectStoreId;
-    const int64_t m_indexId;
+    const IDBIndexMetadata m_indexMetadata;
 };
 
@@ -535 +535 @@
     if (!ok)
         return false;
-    if (success) {
-        m_backingStore->getObjectStores(m_metadata.id, &m_metadata.objectStores);
-        return true;
-    }
+    if (success)
+        return m_backingStore->getObjectStores(m_metadata.id, &m_metadata.objectStores);
+
     return m_backingStore->createIDBDatabaseMetaData(m_metadata.name, m_metadata.version, m_metadata.intVersion, m_metadata.id);
 }
@@ -641 +640 @@
     const IDBIndexMetadata& indexMetadata = objectStore.indexes.get(indexId);
 
-    transaction->scheduleTask(DeleteIndexOperation::create(m_backingStore, objectStoreId, indexId), DeleteIndexAbortOperation::create(this, objectStoreId, indexMetadata));
+    transaction->scheduleTask(DeleteIndexOperation::create(m_backingStore, objectStoreId, indexMetadata), DeleteIndexAbortOperation::create(this, objectStoreId, indexMetadata));
 
     removeIndex(objectStoreId, indexId);
@@ -649 +648 @@
 {
     IDB_TRACE("DeleteIndexOperation");
-    m_backingStore->deleteIndex(transaction->backingStoreTransaction(), transaction->database()->id(), m_objectStoreId, m_indexId);
+    bool ok = m_backingStore->deleteIndex(transaction->backingStoreTransaction(), transaction->database()->id(), m_objectStoreId, m_indexMetadata.id);
+    if (!ok) {
+        RefPtr<IDBDatabaseError> error = IDBDatabaseError::create(IDBDatabaseException::UnknownError, String::format("Internal error deleting index '%s'.", m_indexMetadata.name.utf8().data()));
+        transaction->abort(error);
+    }
 }
 
@@ -1024 +1027 @@
     if (backingStoreCursor) {
         do {
-            m_backingStore->deleteRecord(transaction->backingStoreTransaction(), m_databaseId, m_objectStoreId, backingStoreCursor->recordIdentifier());
+            if (!m_backingStore->deleteRecord(transaction->backingStoreTransaction(), m_databaseId, m_objectStoreId, backingStoreCursor->recordIdentifier())) {
+                m_callbacks->onError(IDBDatabaseError::create(IDBDatabaseException::UnknownError, "Error deleting data in range"));
+                return;
+            }
         } while (backingStoreCursor->continueFunction(0));
     }
@@ -1045 +1051 @@
 {
     IDB_TRACE("ObjectStoreClearOperation");
-    m_backingStore->clearObjectStore(transaction->backingStoreTransaction(), m_databaseId, m_objectStoreId);
+    if (!m_backingStore->clearObjectStore(transaction->backingStoreTransaction(), m_databaseId, m_objectStoreId)) {
+        m_callbacks->onError(IDBDatabaseError::create(IDBDatabaseException::UnknownError, "Error clearing object store"));
+        return;
+    }
     m_callbacks->onSuccess();
 }

trunk/Source/WebCore/Modules/indexeddb/IDBLevelDBCoding.cpp

@@ -974 +974 @@
 }
 
+KeyPrefix::KeyPrefix(int64_t databaseId)
+    : m_databaseId(databaseId)
+    , m_objectStoreId(0)
+    , m_indexId(0)
+{
+    ASSERT(KeyPrefix::isValidDatabaseId(databaseId));
+}
+
+KeyPrefix::KeyPrefix(int64_t databaseId, int64_t objectStoreId)
+    : m_databaseId(databaseId)
+    , m_objectStoreId(objectStoreId)
+    , m_indexId(0)
+{
+    ASSERT(KeyPrefix::isValidDatabaseId(databaseId));
+    ASSERT(KeyPrefix::isValidObjectStoreId(objectStoreId));
+}
+
 KeyPrefix::KeyPrefix(int64_t databaseId, int64_t objectStoreId, int64_t indexId)
     : m_databaseId(databaseId)
@@ -979 +996 @@
     , m_indexId(indexId)
 {
+    ASSERT(KeyPrefix::isValidDatabaseId(databaseId));
+    ASSERT(KeyPrefix::isValidObjectStoreId(objectStoreId));
+    ASSERT(KeyPrefix::isValidIndexId(indexId));
+}
+
+KeyPrefix::KeyPrefix(Type type, int64_t databaseId, int64_t objectStoreId, int64_t indexId)
+    : m_databaseId(databaseId)
+    , m_objectStoreId(objectStoreId)
+    , m_indexId(indexId)
+{
+    ASSERT(type == InvalidType);
+    ASSERT(KeyPrefix::isValidDatabaseId(databaseId));
+    ASSERT(KeyPrefix::isValidObjectStoreId(objectStoreId));
+}
+
+
+KeyPrefix KeyPrefix::createWithSpecialIndex(int64_t databaseId, int64_t objectStoreId, int64_t indexId)
+{
+    ASSERT(KeyPrefix::isValidDatabaseId(databaseId));
+    ASSERT(KeyPrefix::isValidObjectStoreId(objectStoreId));
+    ASSERT(indexId);
+    return KeyPrefix(InvalidType, databaseId, objectStoreId, indexId);
+}
+
+
+bool KeyPrefix::isValidDatabaseId(int64_t databaseId)
+{
+    return (databaseId > 0) && (databaseId < KeyPrefix::kMaxDatabaseId);
+}
+
+bool KeyPrefix::isValidObjectStoreId(int64_t objectStoreId)
+{
+    return (objectStoreId > 0) && (objectStoreId < KeyPrefix::kMaxObjectStoreId);
+}
+
+bool KeyPrefix::isValidIndexId(int64_t indexId)
+{
+    return (indexId >= MinimumIndexId) && (indexId < KeyPrefix::kMaxIndexId);
 }
 
@@ -1005 +1060 @@
 }
 
+Vector<char> KeyPrefix::encodeEmpty()
+{
+    const Vector<char, 4> result(4, 0);
+    ASSERT(encodeInternal(0, 0, 0) == Vector<char>(4, 0));
+    return result;
+}
+
 Vector<char> KeyPrefix::encode() const
 {
@@ -1010 +1072 @@
     ASSERT(m_objectStoreId != InvalidId);
     ASSERT(m_indexId != InvalidId);
-
-    Vector<char> databaseIdString = encodeInt(m_databaseId);
-    Vector<char> objectStoreIdString = encodeInt(m_objectStoreId);
-    Vector<char> indexIdString = encodeInt(m_indexId);
-
-    ASSERT(databaseIdString.size() <= 8);
-    ASSERT(objectStoreIdString.size() <= 8);
-    ASSERT(indexIdString.size() <= 4);
-
-
-    unsigned char firstByte = (databaseIdString.size() - 1) << 5 | (objectStoreIdString.size() - 1) << 2 | (indexIdString.size() - 1);
+    return encodeInternal(m_databaseId, m_objectStoreId, m_indexId);
+}
+
+Vector<char> KeyPrefix::encodeInternal(int64_t databaseId, int64_t objectStoreId, int64_t indexId)
+{
+    Vector<char> databaseIdString = encodeIntSafely(databaseId, kMaxDatabaseId);
+    Vector<char> objectStoreIdString = encodeIntSafely(objectStoreId, kMaxObjectStoreId);
+    Vector<char> indexIdString = encodeIntSafely(indexId, kMaxIndexId);
+
+    ASSERT(databaseIdString.size() <= kMaxDatabaseIdSizeBytes);
+    ASSERT(objectStoreIdString.size() <= kMaxObjectStoreIdSizeBytes);
+    ASSERT(indexIdString.size() <= kMaxIndexIdSizeBytes);
+
+    unsigned char firstByte = (databaseIdString.size() - 1) << (kMaxObjectStoreIdSizeBits + kMaxIndexIdSizeBits) | (objectStoreIdString.size() - 1) << kMaxIndexIdSizeBits | (indexIdString.size() - 1);
+    COMPILE_ASSERT(kMaxDatabaseIdSizeBits + kMaxObjectStoreIdSizeBits + kMaxIndexIdSizeBits == sizeof(firstByte) * 8, CANT_ENCODE_IDS);
     Vector<char, DefaultInlineBufferSize> ret;
     ret.append(firstByte);
@@ -1069 +1135 @@
 Vector<char> SchemaVersionKey::encode()
 {
-    KeyPrefix prefix(0, 0, 0);
-    Vector<char> ret = prefix.encode();
+    Vector<char> ret = KeyPrefix::encodeEmpty();
     ret.append(encodeByte(SchemaVersionTypeByte));
     return ret;
@@ -1077 +1142 @@
 Vector<char> MaxDatabaseIdKey::encode()
 {
-    KeyPrefix prefix(0, 0, 0);
-    Vector<char> ret = prefix.encode();
+    Vector<char> ret = KeyPrefix::encodeEmpty();
     ret.append(encodeByte(MaxDatabaseIdTypeByte));
     return ret;
@@ -1085 +1149 @@
 Vector<char> DataVersionKey::encode()
 {
-    KeyPrefix prefix(0, 0, 0);
-    Vector<char> ret = prefix.encode();
+    Vector<char> ret = KeyPrefix::encodeEmpty();
     ret.append(encodeByte(DataVersionTypeByte));
     return ret;
@@ -1117 +1180 @@
 Vector<char> DatabaseFreeListKey::encode(int64_t databaseId)
 {
-    KeyPrefix prefix(0, 0, 0);
-    Vector<char> ret = prefix.encode();
+    Vector<char> ret = KeyPrefix::encodeEmpty();
     ret.append(encodeByte(DatabaseFreeListTypeByte));
     ret.append(encodeVarInt(databaseId));
@@ -1165 +1227 @@
 Vector<char> DatabaseNameKey::encode(const String& origin, const String& databaseName)
 {
-    KeyPrefix prefix(0, 0, 0);
-    Vector<char> ret = prefix.encode();
+    Vector<char> ret = KeyPrefix::encodeEmpty();
     ret.append(encodeByte(DatabaseNameTypeByte));
     ret.append(encodeStringWithLength(origin));
@@ -1193 +1254 @@
 Vector<char> DatabaseMetaDataKey::encode(int64_t databaseId, MetaDataType metaDataType)
 {
-    KeyPrefix prefix(databaseId, 0, 0);
+    KeyPrefix prefix(databaseId);
     Vector<char> ret = prefix.encode();
     ret.append(encodeByte(metaDataType));
@@ -1232 +1293 @@
 Vector<char> ObjectStoreMetaDataKey::encode(int64_t databaseId, int64_t objectStoreId, unsigned char metaDataType)
 {
-    KeyPrefix prefix(databaseId, 0, 0);
+    KeyPrefix prefix(databaseId);
     Vector<char> ret = prefix.encode();
     ret.append(encodeByte(ObjectStoreMetaDataTypeByte));
@@ -1307 +1368 @@
 Vector<char> IndexMetaDataKey::encode(int64_t databaseId, int64_t objectStoreId, int64_t indexId, unsigned char metaDataType)
 {
-    KeyPrefix prefix(databaseId, 0, 0);
+    KeyPrefix prefix(databaseId);
     Vector<char> ret = prefix.encode();
     ret.append(encodeByte(IndexMetaDataTypeByte));
@@ -1370 +1431 @@
 Vector<char> ObjectStoreFreeListKey::encode(int64_t databaseId, int64_t objectStoreId)
 {
-    KeyPrefix prefix(databaseId, 0, 0);
+    KeyPrefix prefix(databaseId);
     Vector<char> ret = prefix.encode();
     ret.append(encodeByte(ObjectStoreFreeListTypeByte));
@@ -1427 +1488 @@
 Vector<char> IndexFreeListKey::encode(int64_t databaseId, int64_t objectStoreId, int64_t indexId)
 {
-    KeyPrefix prefix(databaseId, 0, 0);
+    KeyPrefix prefix(databaseId);
     Vector<char> ret = prefix.encode();
     ret.append(encodeByte(IndexFreeListTypeByte));
@@ -1483 +1544 @@
 Vector<char> ObjectStoreNamesKey::encode(int64_t databaseId, const String& objectStoreName)
 {
-    KeyPrefix prefix(databaseId, 0, 0);
+    KeyPrefix prefix(databaseId);
     Vector<char> ret = prefix.encode();
     ret.append(encodeByte(ObjectStoreNamesTypeByte));
@@ -1526 +1587 @@
 Vector<char> IndexNamesKey::encode(int64_t databaseId, int64_t objectStoreId, const String& indexName)
 {
-    KeyPrefix prefix(databaseId, 0, 0);
+    KeyPrefix prefix(databaseId);
     Vector<char> ret = prefix.encode();
     ret.append(encodeByte(IndexNamesKeyTypeByte));
@@ -1558 +1619 @@
 Vector<char> ObjectStoreDataKey::encode(int64_t databaseId, int64_t objectStoreId, const Vector<char> encodedUserKey)
 {
-    KeyPrefix prefix(databaseId, objectStoreId, SpecialIndexNumber);
+    KeyPrefix prefix(KeyPrefix::createWithSpecialIndex(databaseId, objectStoreId, SpecialIndexNumber));
     Vector<char> ret = prefix.encode();
     ret.append(encodedUserKey);
@@ -1600 +1661 @@
 Vector<char> ExistsEntryKey::encode(int64_t databaseId, int64_t objectStoreId, const Vector<char>& encodedKey)
 {
-    KeyPrefix prefix(databaseId, objectStoreId, SpecialIndexNumber);
+    KeyPrefix prefix(KeyPrefix::createWithSpecialIndex(databaseId, objectStoreId, SpecialIndexNumber));
     Vector<char> ret = prefix.encode();
     ret.append(encodedKey);

trunk/Source/WebCore/Modules/indexeddb/IDBLevelDBCoding.h

@@ -55 +55 @@
 bool decodeBool(const char* begin, const char* end);
 Vector<char> encodeInt(int64_t);
+inline Vector<char> encodeIntSafely(int64_t nParam, size_t max)
+{
+    ASSERT(static_cast<size_t>(nParam) <= max);
+    return encodeInt(nParam);
+}
 int64_t decodeInt(const char* begin, const char* end);
 Vector<char> encodeVarInt(int64_t);
@@ -78 +83 @@
 public:
     KeyPrefix();
+    explicit KeyPrefix(int64_t databaseId);
+    KeyPrefix(int64_t databaseId, int64_t objectStoreId);
     KeyPrefix(int64_t databaseId, int64_t objectStoreId, int64_t indexId);
+    static KeyPrefix createWithSpecialIndex(int64_t databaseId, int64_t objectStoreId, int64_t indexId);
 
     static const char* decode(const char* start, const char* limit, KeyPrefix* result);
     Vector<char> encode() const;
+    static Vector<char> encodeEmpty();
     int compare(const KeyPrefix& other) const;
 
@@ -93 +102 @@
     };
 
+    static const size_t kMaxDatabaseIdSizeBits = 3;
+    static const size_t kMaxObjectStoreIdSizeBits = 3;
+    static const size_t kMaxIndexIdSizeBits = 2;
+
+    static const size_t kMaxDatabaseIdSizeBytes = 1ULL << kMaxDatabaseIdSizeBits; // 8
+    static const size_t kMaxObjectStoreIdSizeBytes = 1ULL << kMaxObjectStoreIdSizeBits; // 8
+    static const size_t kMaxIndexIdSizeBytes = 1ULL << kMaxIndexIdSizeBits; // 4
+
+    static const size_t kMaxDatabaseIdBits = kMaxDatabaseIdSizeBytes * 8 - 1; // 63
+    static const size_t kMaxObjectStoreIdBits = kMaxObjectStoreIdSizeBytes * 8 - 1; // 63
+    static const size_t kMaxIndexIdBits = kMaxIndexIdSizeBytes * 8 - 1; // 31
+
+    static const int64_t kMaxDatabaseId = (1ULL << kMaxDatabaseIdBits) - 1; // max signed int64_t
+    static const int64_t kMaxObjectStoreId = (1ULL << kMaxObjectStoreIdBits) - 1; // max signed int64_t
+    static const int64_t kMaxIndexId = (1ULL << kMaxIndexIdBits) - 1; // max signed int32_t
+
+    static bool isValidDatabaseId(int64_t databaseId);
+    static bool isValidObjectStoreId(int64_t indexId);
+    static bool isValidIndexId(int64_t indexId);
+    static bool validIds(int64_t databaseId, int64_t objectStoreId, int64_t indexId)
+    {
+        return isValidDatabaseId(databaseId) && isValidObjectStoreId(objectStoreId) && isValidIndexId(indexId);
+    }
+    static bool validIds(int64_t databaseId, int64_t objectStoreId)
+    {
+        return isValidDatabaseId(databaseId) && isValidObjectStoreId(objectStoreId);
+    }
+
     Type type() const;
 
@@ -100 +137 @@
 
     static const int64_t InvalidId = -1;
+
+private:
+    static Vector<char> encodeInternal(int64_t databaseId, int64_t objectStoreId, int64_t indexId);
+    // Special constructor for createWithSpecialIndex()
+    KeyPrefix(Type, int64_t databaseId, int64_t objectStoreId, int64_t indexId);
 };
 

trunk/Source/WebCore/Modules/indexeddb/IDBObjectStoreBackendImpl.cpp

@@ -65 +65 @@
     int64_t indexId = m_indexMetadata.id;
     for (size_t i = 0; i < m_indexKeys.size(); ++i) {
-        backingStore.putIndexDataForRecord(transaction, databaseId, objectStoreId, indexId, *(m_indexKeys)[i].get(), recordIdentifier);
+        bool ok = backingStore.putIndexDataForRecord(transaction, databaseId, objectStoreId, indexId, *(m_indexKeys)[i].get(), recordIdentifier);
+        // This should have already been verified as a valid write during verifyIndexKeys.
+        ASSERT_UNUSED(ok, ok);
     }
 }

trunk/Source/WebKit/chromium/ChangeLog

@@ +1 @@
+2013-03-11  Alec Flett  <alecflett@chromium.org>
+
+        IndexedDB: Protect against key prefix overflows
+        https://bugs.webkit.org/show_bug.cgi?id=111138
+
+        Reviewed by Tony Chang.
+
+        Add tests for invalid indexIds in basic get/put operations.
+
 2013-03-11  Xiyuan Xia  <xiyuan@chromium.org>
 

trunk/Source/WebKit/chromium/tests/IDBBackingStoreTest.cpp

@@ -29 +29 @@
 
 #include "IDBFactoryBackendImpl.h"
+#include "IDBLevelDBCoding.h"
 #include "SharedBuffer.h"
 
@@ -37 +38 @@
 
 using namespace WebCore;
+using IDBLevelDBCoding::KeyPrefix;
 
 namespace {
@@ -54 +56 @@
         const char rawValue1[] = "value1";
         const char rawValue2[] = "value2";
+        const char rawValue3[] = "value3";
         m_value1.append(rawValue1, sizeof(rawValue1));
         m_value2.append(rawValue2, sizeof(rawValue2));
+        m_value3.append(rawValue3, sizeof(rawValue3));
         m_key1 = IDBKey::createNumber(99);
         m_key2 = IDBKey::createString("key2");
+        m_key3 = IDBKey::createString("key3");
     }
 
@@ -66 +71 @@
     RefPtr<IDBKey> m_key1;
     RefPtr<IDBKey> m_key2;
+    RefPtr<IDBKey> m_key3;
     Vector<char> m_value1;
     Vector<char> m_value2;
+    Vector<char> m_value3;
 };
 
@@ -97 +104 @@
     const int64_t highDatabaseId = 1ULL << 35;
     const int64_t highObjectStoreId = 1ULL << 39;
+    // indexIds are capped at 32 bits for storage purposes.
+    const int64_t highIndexId = 1ULL << 29;
+
+    const int64_t invalidHighIndexId = 1ULL << 37;
+
+    const RefPtr<IDBKey> indexKey = m_key2;
+    Vector<char> indexKeyRaw = IDBLevelDBCoding::encodeIDBKey(*indexKey);
     {
         IDBBackingStore::Transaction transaction1(m_backingStore.get());
@@ -103 +117 @@
         bool ok = m_backingStore->putRecord(&transaction1, highDatabaseId, highObjectStoreId, *m_key1.get(), SharedBuffer::create(m_value1.data(), m_value1.size()), &record);
         EXPECT_TRUE(ok);
+
+        ok = m_backingStore->putIndexDataForRecord(&transaction1, highDatabaseId, highObjectStoreId, invalidHighIndexId, *indexKey, record);
+        EXPECT_FALSE(ok);
+
+        ok = m_backingStore->putIndexDataForRecord(&transaction1, highDatabaseId, highObjectStoreId, highIndexId, *indexKey, record);
+        EXPECT_TRUE(ok);
+
         ok = transaction1.commit();
         EXPECT_TRUE(ok);
@@ -113 +134 @@
         bool ok = m_backingStore->getRecord(&transaction2, highDatabaseId, highObjectStoreId, *m_key1.get(), resultValue);
         EXPECT_TRUE(ok);
+        EXPECT_EQ(m_value1, resultValue);
+
+        RefPtr<IDBKey> newPrimaryKey;
+        ok = m_backingStore->getPrimaryKeyViaIndex(&transaction2, highDatabaseId, highObjectStoreId, invalidHighIndexId, *indexKey, newPrimaryKey);
+        EXPECT_FALSE(ok);
+
+        ok = m_backingStore->getPrimaryKeyViaIndex(&transaction2, highDatabaseId, highObjectStoreId, highIndexId, *indexKey, newPrimaryKey);
+        EXPECT_TRUE(ok);
+        EXPECT_TRUE(newPrimaryKey->isEqual(m_key1.get()));
+
         ok = transaction2.commit();
         EXPECT_TRUE(ok);
-        EXPECT_EQ(m_value1, resultValue);
-    }
+    }
+}
+
+// Make sure that other invalid ids do not crash.
+TEST_F(IDBBackingStoreTest, InvalidIds)
+{
+    // valid ids for use when testing invalid ids
+    const int64_t databaseId = 1;
+    const int64_t objectStoreId = 1;
+    const int64_t indexId = IDBLevelDBCoding::MinimumIndexId;
+    const int64_t invalidLowIndexId = 19; // indexIds must be > IDBLevelDBCoding::MinimumIndexId
+
+    const RefPtr<SharedBuffer> value = SharedBuffer::create(m_value1.data(), m_value1.size());
+    Vector<char> resultValue;
+
+    IDBBackingStore::Transaction transaction1(m_backingStore.get());
+    transaction1.begin();
+
+    IDBBackingStore::RecordIdentifier record;
+    bool ok = m_backingStore->putRecord(&transaction1, databaseId, KeyPrefix::InvalidId, *m_key1.get(), value, &record);
+    EXPECT_FALSE(ok);
+    ok = m_backingStore->putRecord(&transaction1, databaseId, 0, *m_key1.get(), value, &record);
+    EXPECT_FALSE(ok);
+    ok = m_backingStore->putRecord(&transaction1, KeyPrefix::InvalidId, objectStoreId, *m_key1.get(), value, &record);
+    EXPECT_FALSE(ok);
+    ok = m_backingStore->putRecord(&transaction1, 0, objectStoreId, *m_key1.get(), value, &record);
+    EXPECT_FALSE(ok);
+
+    ok = m_backingStore->getRecord(&transaction1, databaseId, KeyPrefix::InvalidId, *m_key1.get(), resultValue);
+    EXPECT_FALSE(ok);
+    ok = m_backingStore->getRecord(&transaction1, databaseId, 0, *m_key1.get(), resultValue);
+    EXPECT_FALSE(ok);
+    ok = m_backingStore->getRecord(&transaction1, KeyPrefix::InvalidId, objectStoreId, *m_key1.get(), resultValue);
+    EXPECT_FALSE(ok);
+    ok = m_backingStore->getRecord(&transaction1, 0, objectStoreId, *m_key1.get(), resultValue);
+    EXPECT_FALSE(ok);
+
+    RefPtr<IDBKey> newPrimaryKey;
+    ok = m_backingStore->getPrimaryKeyViaIndex(&transaction1, databaseId, objectStoreId, KeyPrefix::InvalidId, *m_key1, newPrimaryKey);
+    EXPECT_FALSE(ok);
+    ok = m_backingStore->getPrimaryKeyViaIndex(&transaction1, databaseId, objectStoreId, invalidLowIndexId, *m_key1, newPrimaryKey);
+    EXPECT_FALSE(ok);
+    ok = m_backingStore->getPrimaryKeyViaIndex(&transaction1, databaseId, objectStoreId, 0, *m_key1, newPrimaryKey);
+    EXPECT_FALSE(ok);
+
+    ok = m_backingStore->getPrimaryKeyViaIndex(&transaction1, KeyPrefix::InvalidId, objectStoreId, indexId, *m_key1, newPrimaryKey);
+    EXPECT_FALSE(ok);
+    ok = m_backingStore->getPrimaryKeyViaIndex(&transaction1, databaseId, KeyPrefix::InvalidId, indexId, *m_key1, newPrimaryKey);
+    EXPECT_FALSE(ok);
 }
 
@@ -167 +245 @@
         EXPECT_EQ(databaseId, database.id);
 
-        m_backingStore->getObjectStores(database.id, &database.objectStores);
+        ok = m_backingStore->getObjectStores(database.id, &database.objectStores);
+        EXPECT_TRUE(ok);
 
         EXPECT_EQ(1, database.objectStores.size());

trunk/Source/WebKit/chromium/tests/IDBFakeBackingStore.h

@@ -42 +42 @@
     virtual bool createObjectStore(Transaction*, int64_t databaseId, int64_t objectStoreId, const String& name, const IDBKeyPath&, bool autoIncrement) OVERRIDE { return false; };
 
-    virtual void clearObjectStore(Transaction*, int64_t databaseId, int64_t objectStoreId) OVERRIDE { }
-    virtual void deleteRecord(Transaction*, int64_t databaseId, int64_t objectStoreId, const RecordIdentifier&) OVERRIDE { }
+    virtual bool clearObjectStore(Transaction*, int64_t databaseId, int64_t objectStoreId) OVERRIDE { return false; }
+    virtual bool deleteRecord(Transaction*, int64_t databaseId, int64_t objectStoreId, const RecordIdentifier&) OVERRIDE { return false; }
     virtual bool getKeyGeneratorCurrentNumber(Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t& currentNumber) OVERRIDE { return true; }
     virtual bool maybeUpdateKeyGeneratorCurrentNumber(Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t newNumber, bool checkCurrent) OVERRIDE { return true; }
@@ -49 +49 @@
 
     virtual bool createIndex(Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const String& name, const IDBKeyPath&, bool isUnique, bool isMultiEntry) OVERRIDE { return false; };
-    virtual void deleteIndex(Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId) OVERRIDE { }
-    virtual void putIndexDataForRecord(Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const IDBKey&, const RecordIdentifier&) OVERRIDE { }
+    virtual bool deleteIndex(Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId) OVERRIDE { return false; }
+    virtual bool putIndexDataForRecord(Transaction*, int64_t databaseId, int64_t objectStoreId, int64_t indexId, const IDBKey&, const RecordIdentifier&) OVERRIDE { return false; }
 
     virtual PassRefPtr<Cursor> openObjectStoreKeyCursor(Transaction*, int64_t databaseId, int64_t objectStoreId, const IDBKeyRange*, IndexedDB::CursorDirection) OVERRIDE { return PassRefPtr<Cursor>(); }

trunk/Source/WebKit/chromium/tests/IDBLevelDBCodingTest.cpp

@@ -102 +102 @@
     }
 }
-   
+
 TEST(IDBLevelDBCodingTest, EncodeBool)
 {
@@ -712 +712 @@
     keys.append(IndexDataKey::encode(1, 1, 31, minIDBKey(), minIDBKey(), 0));
     keys.append(IndexDataKey::encode(1, 2, 30, minIDBKey(), minIDBKey(), 0));
-    keys.append(IndexDataKey::encodeMaxKey(1, 2, INT32_MAX));
+    keys.append(IndexDataKey::encodeMaxKey(1, 2, INT32_MAX - 1));
 
     for (size_t i = 0; i < keys.size(); ++i) {