Changeset 258486 in webkit
- Timestamp:
- Mar 15, 2020 7:58:01 PM (4 years ago)
- Location:
- trunk
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r258482 r258486 1 2020-03-15 Fujii Hironori <Hironori.Fujii@sony.com> 2 3 KeyedDecoderGeneric fails to allocate Vector while decoding broken data 4 https://bugs.webkit.org/show_bug.cgi?id=207324 5 6 Reviewed by Darin Adler. 7 8 There were three crash bugs in it. 9 10 KeyedDecoderGeneric was trying to allocate a buffer without 11 ensuring the size wouldn't exceed the decoding data size by using 12 bufferIsLargeEnoughToContain. 13 14 It was trying to push an itme into the top dictionary of emtpy 15 m_dictionaryStack when EndObject tag would appear without the 16 preceding BeginObject tag. 17 18 It was trying to push an item into the top array of empty 19 m_arrayStack when EndArray tag would appear without the preceding 20 BeginArray tag. 21 22 Tests: TestWebKitAPI: KeyedCoding.DecodeRandomData 23 24 * platform/generic/KeyedDecoderGeneric.cpp: 25 (WebCore::readString): 26 (WebCore::KeyedDecoderGeneric::KeyedDecoderGeneric): 27 Check bufferIsLargeEnoughToContain(size) before allocating a Vector with size. 28 Check if m_dictionaryStack and m_arrayStack are empty. 29 1 30 2020-03-15 Chris Dumez <cdumez@apple.com> 2 31 -
trunk/Source/WebCore/platform/generic/KeyedDecoderGeneric.cpp
r254971 r258486 59 59 } 60 60 61 if (!decoder.bufferIsLargeEnoughToContain<uint8_t>(size)) 62 return false; 61 63 Vector<uint8_t> buffer(size); 62 64 if (!decoder.decodeFixedLengthData(buffer.data(), size)) … … 109 111 if (!ok) 110 112 break; 113 ok = decoder.bufferIsLargeEnoughToContain<uint8_t>(size); 114 if (!ok) 115 break; 111 116 Vector<uint8_t> buffer(size); 112 117 ok = decoder.decodeFixedLengthData(buffer.data(), size); … … 160 165 case KeyedEncoderGeneric::Type::EndObject: 161 166 m_dictionaryStack.removeLast(); 167 if (m_dictionaryStack.isEmpty()) 168 ok = false; 162 169 break; 163 170 case KeyedEncoderGeneric::Type::BeginArray: { … … 171 178 } 172 179 case KeyedEncoderGeneric::Type::BeginArrayElement: { 180 ok = !m_arrayStack.isEmpty(); 181 if (!ok) 182 break; 173 183 auto newDictionary = makeUnique<Dictionary>(); 174 184 m_dictionaryStack.append(newDictionary.get()); … … 178 188 case KeyedEncoderGeneric::Type::EndArrayElement: 179 189 m_dictionaryStack.removeLast(); 190 if (m_dictionaryStack.isEmpty()) 191 ok = false; 180 192 break; 181 193 case KeyedEncoderGeneric::Type::EndArray: 194 ok = !m_arrayStack.isEmpty(); 195 if (!ok) 196 break; 182 197 m_arrayStack.removeLast(); 183 198 break; -
trunk/Tools/ChangeLog
r258478 r258486 1 2020-03-15 Fujii Hironori <Hironori.Fujii@sony.com> 2 3 KeyedDecoderGeneric fails to allocate Vector while decoding broken data 4 https://bugs.webkit.org/show_bug.cgi?id=207324 5 6 Reviewed by Darin Adler. 7 8 * TestWebKitAPI/Tests/WebCore/KeyedCoding.cpp: 9 (TestWebKitAPI::generateRandomData): Added. 10 (TestWebKitAPI::KeyedCoding.DecodeRandomData): Added a new test decoding random data. 11 1 12 2020-03-15 Yusuke Suzuki <ysuzuki@apple.com> 2 13 -
trunk/Tools/TestWebKitAPI/Tests/WebCore/KeyedCoding.cpp
r254971 r258486 29 29 #include <WebCore/SharedBuffer.h> 30 30 #include <cstdint> 31 #include <cstdlib> 31 32 #include <wtf/text/WTFString.h> 32 33 … … 291 292 EXPECT_EQ(false, boolValue); 292 293 } 293 } 294 295 static Vector<uint8_t> generateRandomData() 296 { 297 Vector<uint8_t> data; 298 for (auto i = 0; i < 256; ++i) 299 data.append(std::rand() / (RAND_MAX + 1.0) * std::numeric_limits<uint8_t>::max()); 300 return data; 301 } 302 303 TEST(KeyedCoding, DecodeRandomData) 304 { 305 std::srand(0); 306 for (auto i = 0; i < 10; ++i) { 307 auto data = generateRandomData(); 308 // Don't crash. 309 WebCore::KeyedDecoder::decoder(data.data(), data.size()); 310 } 311 } 312 313 }
Note: See TracChangeset
for help on using the changeset viewer.