Changeset 64875 in webkit


Ignore:
Timestamp:
Aug 6, 2010 3:39:28 PM (14 years ago)
Author:
andersca@apple.com
Message:

Don't try to allocate a vector unless we know the buffer can contain it
https://bugs.webkit.org/show_bug.cgi?id=43647

Reviewed by Sam Weinig.

  • Platform/CoreIPC/ArgumentCoders.h:

(CoreIPC::):
Check that the argument decoder buffer actually can hold all the vector elements.

  • Platform/CoreIPC/ArgumentDecoder.cpp:

(CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
Align the current position to the given alignment, add the size and check if the position is
past the end of the buffer.

  • Platform/CoreIPC/ArgumentDecoder.h:

(CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
Get the size and alignment and call the other bufferIsLargeEnoughtToContain overload.

Location:
trunk/WebKit2
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/WebKit2/ChangeLog

    r64871 r64875  
     12010-08-06  Anders Carlsson  <andersca@apple.com>
     2
     3        Reviewed by Sam Weinig.
     4
     5        Don't try to allocate a vector unless we know the buffer can contain it
     6        https://bugs.webkit.org/show_bug.cgi?id=43647
     7
     8        * Platform/CoreIPC/ArgumentCoders.h:
     9        (CoreIPC::):
     10        Check that the argument decoder buffer actually can hold all the vector elements.
     11
     12        * Platform/CoreIPC/ArgumentDecoder.cpp:
     13        (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
     14        Align the current position to the given alignment, add the size and check if the position is
     15        past the end of the buffer.
     16
     17        * Platform/CoreIPC/ArgumentDecoder.h:
     18        (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
     19        Get the size and alignment and call the other bufferIsLargeEnoughtToContain overload.
     20
    1212010-08-06  Anders Carlsson  <andersca@apple.com>
    222
  • trunk/WebKit2/Platform/CoreIPC/ArgumentCoders.h

    r61720 r64875  
    6060            return false;
    6161
     62        // Before allocating the cector, make sure that the decoder buffer is big enough.
     63        if (!decoder->bufferIsLargeEnoughtToContain<T>(size)) {
     64            decoder->markInvalid();
     65            return false;
     66        }
     67
    6268        Vector<T> tmp;
    6369        tmp.reserveCapacity(size);
  • trunk/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp

    r64871 r64875  
    7878}
    7979
     80bool ArgumentDecoder::bufferIsLargeEnoughtToContain(unsigned alignment, size_t size) const
     81{
     82    return roundUpToAlignment(m_bufferPos, alignment) + size <= m_bufferEnd;
     83}
     84
    8085bool ArgumentDecoder::decodeBytes(Vector<uint8_t>& buffer)
    8186{
  • trunk/WebKit2/Platform/CoreIPC/ArgumentDecoder.h

    r64871 r64875  
    5656    bool decodeDouble(double&);
    5757
     58    template<typename T>
     59    bool bufferIsLargeEnoughtToContain(size_t numElements) const
     60    {
     61        return bufferIsLargeEnoughtToContain(__alignof(T), numElements * sizeof(T));
     62    }
     63
    5864    // Generic type decode function.
    5965    template<typename T> bool decode(T& t)
     
    8086
    8187    bool alignBufferPosition(unsigned alignment, size_t size);
     88    bool bufferIsLargeEnoughtToContain(unsigned alignment, size_t size) const;
    8289
    8390    uint64_t m_destinationID;
Note: See TracChangeset for help on using the changeset viewer.