Stop using reserveCapacity() / reserveInitialCapacity() in IPC decoders
https://bugs.webkit.org/show_bug.cgi?id=204930
<rdar://problem/57682737>
Reviewed by Ryosuke Niwa.
This is IPC hardening since the size we use to reserve the capacity is encoded over IPC
and cannot be trusted in some cases.
Source/WebCore:
* page/csp/ContentSecurityPolicyResponseHeaders.h:
(WebCore::ContentSecurityPolicyResponseHeaders::decode):
Source/WebKit:
* Platform/IPC/ArgumentCoders.h:
* Shared/WebCoreArgumentCoders.cpp:
(IPC::ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::decode):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@253206 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 8f032262..4ebbf1c 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2019-12-05 Chris Dumez <cdumez@apple.com>
+
+ Stop using reserveCapacity() / reserveInitialCapacity() in IPC decoders
+ https://bugs.webkit.org/show_bug.cgi?id=204930
+ <rdar://problem/57682737>
+
+ Reviewed by Ryosuke Niwa.
+
+ This is IPC hardening since the size we use to reserve the capacity is encoded over IPC
+ and cannot be trusted in some cases.
+
+ * page/csp/ContentSecurityPolicyResponseHeaders.h:
+ (WebCore::ContentSecurityPolicyResponseHeaders::decode):
+
2019-12-06 Antti Koivisto <antti@apple.com>
[LFC][Integration] Wire line counting functions in RenderBlockFlow
diff --git a/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h b/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h
index 7d4eea7..5b369f4 100644
--- a/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h
+++ b/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h
@@ -74,7 +74,6 @@
uint64_t headersSize;
if (!decoder.decode(headersSize))
return false;
- headers.m_headers.reserveCapacity(static_cast<size_t>(headersSize));
for (size_t i = 0; i < headersSize; ++i) {
String header;
if (!decoder.decode(header))
@@ -84,6 +83,7 @@
return false;
headers.m_headers.append(std::make_pair(header, headerType));
}
+ headers.m_headers.shrinkToFit();
if (!decoder.decode(headers.m_httpStatusCode))
return false;
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index 9fa658d..282ed1b 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog
@@ -1,3 +1,18 @@
+2019-12-05 Chris Dumez <cdumez@apple.com>
+
+ Stop using reserveCapacity() / reserveInitialCapacity() in IPC decoders
+ https://bugs.webkit.org/show_bug.cgi?id=204930
+ <rdar://problem/57682737>
+
+ Reviewed by Ryosuke Niwa.
+
+ This is IPC hardening since the size we use to reserve the capacity is encoded over IPC
+ and cannot be trusted in some cases.
+
+ * Platform/IPC/ArgumentCoders.h:
+ * Shared/WebCoreArgumentCoders.cpp:
+ (IPC::ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::decode):
+
2019-12-06 youenn fablet <youenn@apple.com>
Protect WebRTC network monitoring to wait forever in edge cases
diff --git a/Source/WebKit/Platform/IPC/ArgumentCoders.h b/Source/WebKit/Platform/IPC/ArgumentCoders.h
index f1ea1ec..fcf077f 100644
--- a/Source/WebKit/Platform/IPC/ArgumentCoders.h
+++ b/Source/WebKit/Platform/IPC/ArgumentCoders.h
@@ -378,7 +378,6 @@
return WTF::nullopt;
HashMapType hashMap;
- hashMap.reserveInitialCapacity(hashMapSize);
for (uint32_t i = 0; i < hashMapSize; ++i) {
Optional<KeyArg> key;
decoder >> key;
diff --git a/Source/WebKit/Shared/WebCoreArgumentCoders.cpp b/Source/WebKit/Shared/WebCoreArgumentCoders.cpp
index 7132e88..71423ef 100644
--- a/Source/WebKit/Shared/WebCoreArgumentCoders.cpp
+++ b/Source/WebKit/Shared/WebCoreArgumentCoders.cpp
@@ -3034,13 +3034,14 @@
if (!decoder.decode(dataSize))
return false;
- origins.reserveInitialCapacity(dataSize);
for (uint64_t i = 0; i < dataSize; ++i) {
auto decodedOriginRefPtr = SecurityOrigin::decode(decoder);
if (!decodedOriginRefPtr)
return false;
- origins.uncheckedAppend(decodedOriginRefPtr.releaseNonNull());
+ origins.append(decodedOriginRefPtr.releaseNonNull());
}
+ origins.shrinkToFit();
+
return true;
}