Changeset 258614 in webkit

Timestamp:

Mar 17, 2020 5:29:42 PM (4 years ago)

Author:

Fujii Hironori

Message:

SerializedScriptValue::decode should check bufferIsLargeEnoughToContain before allocating a buffer
​https://bugs.webkit.org/show_bug.cgi?id=209132

Reviewed by Darin Adler.

• bindings/js/SerializedScriptValue.h:

(WebCore::SerializedScriptValue::decode): Added bufferIsLargeEnoughToContain check.
Added a null check for Gigacage::tryMalloc.

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• bindings/js/SerializedScriptValue.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-03-17  Fujii Hironori  <Hironori.Fujii@sony.com>
+
+        SerializedScriptValue::decode should check bufferIsLargeEnoughToContain before allocating a buffer
+        https://bugs.webkit.org/show_bug.cgi?id=209132
+
+        Reviewed by Darin Adler.
+
+        * bindings/js/SerializedScriptValue.h:
+        (WebCore::SerializedScriptValue::decode): Added bufferIsLargeEnoughToContain check.
+        Added a null check for Gigacage::tryMalloc.
+
 2020-03-17  Chris Fleizach  <cfleizach@apple.com>
 

trunk/Source/WebCore/bindings/js/SerializedScriptValue.h

@@ -180 +180 @@
         if (!decoder.decode(bufferSize))
             return nullptr;
+        if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(bufferSize))
+            return nullptr;
 
         auto buffer = Gigacage::tryMalloc(Gigacage::Primitive, bufferSize);
+        if (!buffer)
+            return nullptr;
         if (!decoder.decodeFixedLengthData(static_cast<uint8_t*>(buffer), bufferSize, 1)) {
             Gigacage::free(Gigacage::Primitive, buffer);