IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message https://bugs.webkit.org/show_bug.cgi?id=206381 Reviewed by Anders Carlsson. IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message. Make sure that the Strings passed over IPC are not null and that the SharedBuffer returned by SharedBuffer::map() is not null. * UIProcess/Cocoa/WebPasteboardProxyCocoa.mm: (WebKit::WebPasteboardProxy::setPasteboardBufferForType): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@254745 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: 45f8a35257b644c061636b95263bf1ab0e6f8aa3 [log] [tgz]
author: cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Jan 17 15:56:30 2020 +0000
committer: cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Jan 17 15:56:30 2020 +0000
tree: f4483c69e99cbb2bea700ab91f375399fa891712
parent: 44ffad340a8a8c11be9c9de6d0da07fa2fdd6a78 [diff]
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index 2c71348..1abcfba 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog

@@ -1,3 +1,16 @@
+2020-01-17  Chris Dumez  <cdumez@apple.com>
+
+        IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message
+        https://bugs.webkit.org/show_bug.cgi?id=206381
+
+        Reviewed by Anders Carlsson.
+
+        IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message. Make sure that the Strings passed over IPC are not
+        null and that the SharedBuffer returned by SharedBuffer::map() is not null.
+
+        * UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
+        (WebKit::WebPasteboardProxy::setPasteboardBufferForType):
+
 2020-01-17  Carlos Garcia Campos  <cgarcia@igalia.com>
 
         [GTK][WPE] Composition underline color is not applied

diff --git a/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm b/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
index 4eff4d8..86c0e18 100644
--- a/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
+++ b/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm

@@ -158,9 +158,13 @@
 
 void WebPasteboardProxy::setPasteboardBufferForType(const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle& handle, uint64_t size, CompletionHandler<void(int64_t)>&& completionHandler)
 {
+    if (pasteboardName.isNull() || pasteboardType.isNull())
+        return completionHandler(0);
     if (handle.isNull())
         return completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(0, pasteboardType));
     RefPtr<SharedMemory> sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
+    if (!sharedMemoryBuffer)
+        return completionHandler(0);
     auto buffer = SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), size);
     completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(buffer.ptr(), pasteboardType));
 }
commit	45f8a35257b644c061636b95263bf1ab0e6f8aa3	[log] [tgz]
author	cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Fri Jan 17 15:56:30 2020 +0000
committer	cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Fri Jan 17 15:56:30 2020 +0000
tree	f4483c69e99cbb2bea700ab91f375399fa891712
parent	44ffad340a8a8c11be9c9de6d0da07fa2fdd6a78 [diff]