IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message
https://bugs.webkit.org/show_bug.cgi?id=206381
Reviewed by Anders Carlsson.
IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message. Make sure that the Strings passed over IPC are not
null and that the SharedBuffer returned by SharedBuffer::map() is not null.
* UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
(WebKit::WebPasteboardProxy::setPasteboardBufferForType):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@254745 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index 2c71348..1abcfba 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog
@@ -1,3 +1,16 @@
+2020-01-17 Chris Dumez <cdumez@apple.com>
+
+ IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message
+ https://bugs.webkit.org/show_bug.cgi?id=206381
+
+ Reviewed by Anders Carlsson.
+
+ IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message. Make sure that the Strings passed over IPC are not
+ null and that the SharedBuffer returned by SharedBuffer::map() is not null.
+
+ * UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
+ (WebKit::WebPasteboardProxy::setPasteboardBufferForType):
+
2020-01-17 Carlos Garcia Campos <cgarcia@igalia.com>
[GTK][WPE] Composition underline color is not applied
diff --git a/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm b/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
index 4eff4d8..86c0e18 100644
--- a/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
+++ b/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
@@ -158,9 +158,13 @@
void WebPasteboardProxy::setPasteboardBufferForType(const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle& handle, uint64_t size, CompletionHandler<void(int64_t)>&& completionHandler)
{
+ if (pasteboardName.isNull() || pasteboardType.isNull())
+ return completionHandler(0);
if (handle.isNull())
return completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(0, pasteboardType));
RefPtr<SharedMemory> sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
+ if (!sharedMemoryBuffer)
+ return completionHandler(0);
auto buffer = SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), size);
completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(buffer.ptr(), pasteboardType));
}