Context Navigation

← Previous Changeset
Next Changeset →

Changeset 258334 in webkit

Timestamp:

Mar 12, 2020 9:28:22 AM (4 years ago)

Author:

ddkilzer@apple.com

Message:

WebPasteboardProxy::SetPasteboardBufferForType should validate its size parameter
<https://webkit.org/b/208902>
<rdar://problem/60181117>

Reviewed by Chris Dumez.

Platform/IPC/Connection.h:

(MESSAGE_CHECK_BASE):

Define in terms of MESSAGE_CHECK_COMPLETION_BASE() with a no-op completion handler.

(MESSAGE_CHECK_COMPLETION_BASE):

Rename from MESSAGE_CHECK_BASE() and add completion handler parameter.

Platform/SharedMemory.h:

(WebKit::SharedMemory::Handle::size const): Add.

UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:

(MESSAGE_CHECK):

Define macro to use in WebPasteboardProxy::setPasteboardBufferForType().
Undefine macro at end of source file due to unified sources.

(WebKit::WebPasteboardProxy::setPasteboardBufferForType):

Add IPC::Connection& parameter after change to WebPasteboardProxy.messages.in. Use with MESSAGE_CHECK().
Validate size parameter using MESSAGE_CHECK(). Because SharedMemory::Handle::size() returns a size_t value, we do not need to check size <= std::numeric_limits<size_t>::max().
Add static_cast<size_t>() to size parameter to denote type change.
UIProcess/WebPasteboardProxy.h:

(WebKit::WebPasteboardProxy::setPasteboardBufferForType):

Add IPC::Connection& parameter after change to WebPasteboardProxy.messages.in.
UIProcess/WebPasteboardProxy.messages.in:

(SetPasteboardBufferForType):

Add 'WantsConnection' attribute to add IPC::Connection& parameter to WebPasteboardProxy::setPasteboardBufferForType().

Location:

trunk/Source/WebKit

Files:

: 6 edited

ChangeLog (modified) (1 diff)
Platform/IPC/Connection.h (modified) (1 diff)
Platform/SharedMemory.h (modified) (1 diff)
UIProcess/Cocoa/WebPasteboardProxyCocoa.mm (modified) (5 diffs)
UIProcess/WebPasteboardProxy.h (modified) (1 diff)
UIProcess/WebPasteboardProxy.messages.in (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/WebKit/ChangeLog

-                      r258329
+                      r258334
+-03-12  David Kilzer  <ddkilzer@apple.com>
+        WebPasteboardProxy::SetPasteboardBufferForType should validate its `size` parameter
+        <https://webkit.org/b/208902>
+        <rdar://problem/60181117>
+        Reviewed by Chris Dumez.
+        * Platform/IPC/Connection.h:
+        (MESSAGE_CHECK_BASE):
+        - Define in terms of MESSAGE_CHECK_COMPLETION_BASE() with a
+          no-op completion handler.
+        (MESSAGE_CHECK_COMPLETION_BASE):
+        - Rename from MESSAGE_CHECK_BASE() and add completion handler
+          parameter.
+        * Platform/SharedMemory.h:
+        (WebKit::SharedMemory::Handle::size const): Add.
+        * UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
+        (MESSAGE_CHECK):
+        - Define macro to use in
+          WebPasteboardProxy::setPasteboardBufferForType().
+        - Undefine macro at end of source file due to unified sources.
+        (WebKit::WebPasteboardProxy::setPasteboardBufferForType):
+        - Add IPC::Connection& parameter after change to
+          WebPasteboardProxy.messages.in.  Use with MESSAGE_CHECK().
+        - Validate `size` parameter using MESSAGE_CHECK().  Because
+          SharedMemory::Handle::size() returns a size_t value, we do not
+          need to check `size <= std::numeric_limits<size_t>::max()`.
+        - Add static_cast<size_t>() to size parameter to denote type
+          change.
+        * UIProcess/WebPasteboardProxy.h:
+        (WebKit::WebPasteboardProxy::setPasteboardBufferForType):
+        - Add IPC::Connection& parameter after change to
+          WebPasteboardProxy.messages.in.
+        * UIProcess/WebPasteboardProxy.messages.in:
+        (SetPasteboardBufferForType):
+        - Add 'WantsConnection' attribute to add IPC::Connection&
+          parameter to WebPasteboardProxy::setPasteboardBufferForType().
 -03-12  Youenn Fablet  <youenn@apple.com>

trunk/Source/WebKit/Platform/IPC/Connection.h

-                      r258201
+                      r258334
 };
+#define MESSAGE_CHECK_BASE(assertion, connection) do \
+#define MESSAGE_CHECK_BASE(assertion, connection) MESSAGE_CHECK_COMPLETION_BASE(assertion, connection, (void)0)
+#define MESSAGE_CHECK_COMPLETION_BASE(assertion, connection, completion) do \
     if (!(assertion)) { \
         ASSERT(assertion); \
         (connection)->markCurrentlyDispatchedMessageAsInvalid(); \
+        { completion; } \
         return; \
     } \

trunk/Source/WebKit/Platform/SharedMemory.h

-                      r251765
+                      r258334
         bool isNull() const;
+#if OS(DARWIN) || OS(WINDOWS)
+        size_t size() const { return m_size; }
+#endif
         void clear();

trunk/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm

-                      r258240
+                      r258334
 #import "WebPasteboardProxy.h"
+#import "Connection.h"
 #import "SandboxExtension.h"
 #import "WebProcessProxy.h"
 …
 #import <WebCore/SharedBuffer.h>
 #import <wtf/URL.h>
+#define MESSAGE_CHECK(assertion, completion) MESSAGE_CHECK_COMPLETION_BASE(assertion, (&connection), completion)
 namespace WebKit {
 …
+}
 void WebPasteboardProxy::setPasteboardBufferForType(const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle& handle, uint64_t size, CompletionHandler<void(int64_t)>&& completionHandler)
+void WebPasteboardProxy::setPasteboardBufferForType(IPC::Connection& connection, const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle& handle, uint64_t size, CompletionHandler<void(int64_t)>&& completionHandler)
+{
     ASSERT(!pasteboardType.isNull());
 …
     if (handle.isNull())
         return completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(nullptr, pasteboardType));
+    // SharedMemory::Handle::size() is rounded up to the nearest page.
+    MESSAGE_CHECK(size && size <= handle.size(), completionHandler(0));
     RefPtr<SharedMemory> sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
     if (!sharedMemoryBuffer)
         return completionHandler(0);
     auto buffer = SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), size);
+    auto buffer = SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), static_cast<size_t>(size));
     completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(buffer.ptr(), pasteboardType));
+}
 …
 } // namespace WebKit
+#undef MESSAGE_CHECK

trunk/Source/WebKit/UIProcess/WebPasteboardProxy.h

r257145	r258334
93	93	void setPasteboardColor(const String&, const WebCore::Color&, CompletionHandler<void(int64_t)>&&);
94	94	void setPasteboardStringForType(const String& pasteboardName, const String& pasteboardType, const String&, CompletionHandler<void(int64_t)>&&);
95		void setPasteboardBufferForType(const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle&, uint64_t size, CompletionHandler<void(int64_t)>&&);
	95	void setPasteboardBufferForType(IPC::Connection&, const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle&, uint64_t size, CompletionHandler<void(int64_t)>&&);
96	96	#endif
97	97

trunk/Source/WebKit/UIProcess/WebPasteboardProxy.messages.in

r257145	r258334
56	56	SetPasteboardColor(String pasteboardName, WebCore::Color color) -> (int64_t changeCount) Synchronous
57	57	SetPasteboardStringForType(String pasteboardName, String pasteboardType, String string) -> (int64_t changeCount) Synchronous
58		SetPasteboardBufferForType(String pasteboardName, String pasteboardType, WebKit::SharedMemory::Handle handle, uint64_t size) -> (int64_t changeCount) Synchronous
	58	SetPasteboardBufferForType(String pasteboardName, String pasteboardType, WebKit::SharedMemory::Handle handle, uint64_t size) -> (int64_t changeCount) Synchronous WantsConnection
59	59	#endif
60	60

Note: See TracChangeset for help on using the changeset viewer.