Context Navigation

Changeset 275501 in webkit

Timestamp:

Apr 6, 2021 3:01:28 AM (3 years ago)

Author:

rniwa@webkit.org

Message:

IPC::decodeObject null dereference in decodeArrayInternal()
https://bugs.webkit.org/show_bug.cgi?id=224214

Patch by Ian Gilbert <iang@apple.com> on 2021-04-06
Reviewed by Ryosuke Niwa.

Add null pointer check to decodeArrayInternal.

Source/WebKit:

Test: ipc/decode-object-array-crash.html

(IPC::decodeArrayInternal):

LayoutTests:

Location:

trunk

Files:

-                      r275499
+                      r275501
+-04-06  Ian Gilbert  <iang@apple.com>
+        IPC::decodeObject null dereference in decodeArrayInternal()
+        https://bugs.webkit.org/show_bug.cgi?id=224214
+        Reviewed by Ryosuke Niwa.
+        Add null pointer check to decodeArrayInternal.
+        * ipc/decode-object-array-crash-expected.txt: Added.
+        * ipc/decode-object-array-crash.html: Added.
 -04-06  Ryosuke Niwa  <rniwa@webkit.org>

-                      r275492
+                      r275501
+-04-06  Ian Gilbert  <iang@apple.com>
+        IPC::decodeObject null dereference in decodeArrayInternal()
+        https://bugs.webkit.org/show_bug.cgi?id=224214
+        Reviewed by Ryosuke Niwa.
+        Add null pointer check to decodeArrayInternal.
+        Test: ipc/decode-object-array-crash.html
+        * Shared/Cocoa/ArgumentCodersCocoa.mm:
+        (IPC::decodeArrayInternal):
 -04-05  Jiewen Tan  <jiewen_tan@apple.com>

r274191	r275501
265	265	for (uint64_t i = 0; i < size; ++i) {
266	266	auto value = decodeObject(decoder, allowedClasses);
267		if (!value)
	267	if (!value \|\| !value.value())
268	268	return WTF::nullopt;
269	269	[array addObject:value.value().get()];

Note: See TracChangeset for help on using the changeset viewer.