Changeset 253206 in webkit


Ignore:
Timestamp:
Dec 6, 2019 8:06:12 AM (4 years ago)
Author:
Chris Dumez
Message:

Stop using reserveCapacity() / reserveInitialCapacity() in IPC decoders
https://bugs.webkit.org/show_bug.cgi?id=204930
<rdar://problem/57682737>

Reviewed by Ryosuke Niwa.

This is IPC hardening since the size we use to reserve the capacity is encoded over IPC
and cannot be trusted in some cases.

Source/WebCore:

  • page/csp/ContentSecurityPolicyResponseHeaders.h:

(WebCore::ContentSecurityPolicyResponseHeaders::decode):

Source/WebKit:

  • Platform/IPC/ArgumentCoders.h:
  • Shared/WebCoreArgumentCoders.cpp:

(IPC::ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::decode):

Location:
trunk/Source
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r253205 r253206  
     12019-12-05  Chris Dumez  <cdumez@apple.com>
     2
     3        Stop using reserveCapacity() / reserveInitialCapacity() in IPC decoders
     4        https://bugs.webkit.org/show_bug.cgi?id=204930
     5        <rdar://problem/57682737>
     6
     7        Reviewed by Ryosuke Niwa.
     8
     9        This is IPC hardening since the size we use to reserve the capacity is encoded over IPC
     10        and cannot be trusted in some cases.
     11
     12        * page/csp/ContentSecurityPolicyResponseHeaders.h:
     13        (WebCore::ContentSecurityPolicyResponseHeaders::decode):
     14
    1152019-12-06  Antti Koivisto  <antti@apple.com>
    216
  • trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h

    r231479 r253206  
    7575    if (!decoder.decode(headersSize))
    7676        return false;
    77     headers.m_headers.reserveCapacity(static_cast<size_t>(headersSize));
    7877    for (size_t i = 0; i < headersSize; ++i) {
    7978        String header;
     
    8584        headers.m_headers.append(std::make_pair(header, headerType));
    8685    }
     86    headers.m_headers.shrinkToFit();
    8787
    8888    if (!decoder.decode(headers.m_httpStatusCode))
  • trunk/Source/WebKit/ChangeLog

    r253203 r253206  
     12019-12-05  Chris Dumez  <cdumez@apple.com>
     2
     3        Stop using reserveCapacity() / reserveInitialCapacity() in IPC decoders
     4        https://bugs.webkit.org/show_bug.cgi?id=204930
     5        <rdar://problem/57682737>
     6
     7        Reviewed by Ryosuke Niwa.
     8
     9        This is IPC hardening since the size we use to reserve the capacity is encoded over IPC
     10        and cannot be trusted in some cases.
     11
     12        * Platform/IPC/ArgumentCoders.h:
     13        * Shared/WebCoreArgumentCoders.cpp:
     14        (IPC::ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::decode):
     15
    1162019-12-06  youenn fablet  <youenn@apple.com>
    217
  • trunk/Source/WebKit/Platform/IPC/ArgumentCoders.h

    r250673 r253206  
    379379
    380380        HashMapType hashMap;
    381         hashMap.reserveInitialCapacity(hashMapSize);
    382381        for (uint32_t i = 0; i < hashMapSize; ++i) {
    383382            Optional<KeyArg> key;
  • trunk/Source/WebKit/Shared/WebCoreArgumentCoders.cpp

    r252641 r253206  
    30353035        return false;
    30363036
    3037     origins.reserveInitialCapacity(dataSize);
    30383037    for (uint64_t i = 0; i < dataSize; ++i) {
    30393038        auto decodedOriginRefPtr = SecurityOrigin::decode(decoder);
    30403039        if (!decodedOriginRefPtr)
    30413040            return false;
    3042         origins.uncheckedAppend(decodedOriginRefPtr.releaseNonNull());
    3043     }
     3041        origins.append(decodedOriginRefPtr.releaseNonNull());
     3042    }
     3043    origins.shrinkToFit();
     3044
    30443045    return true;
    30453046}
Note: See TracChangeset for help on using the changeset viewer.