Make WebPasteboardProxy::didModifyContentsOfPasteboard robust when pasteboardName is null
https://bugs.webkit.org/show_bug.cgi?id=209848
<rdar://problem/61121810>
Reviewed by Megan Gardner and David Kilzer.
Add more IPC message checks in WebPasteboardProxy; see below for more detail.
* UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
Rename what is currently MESSAGE_CHECK to MESSAGE_CHECK_COMPLETION, and introduce two more message check macros:
MESSAGE_CHECK_WITH_RETURN_VALUE, which supports a return value, and MESSAGE_CHECK, which returns with no value.
(WebKit::WebPasteboardProxy::canAccessPasteboardData const):
Replace the early returns when pasteboardName is empty or when the web process for the given connection is null
with `MESSAGE_CHECK`s. When the web content process is well-behaved, these early returns should never be hit.
(WebKit::WebPasteboardProxy::didModifyContentsOfPasteboard):
Similarly, replace this early return with a message check, and additionally `MESSAGE_CHECK` when the pasteboard
name is empty. This addresses the main issue caught by this radar.
(WebKit::WebPasteboardProxy::setPasteboardBufferForType):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@259346 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index c52e3ed..b4b9385 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog
@@ -1,3 +1,30 @@
+2020-04-01 Wenson Hsieh <wenson_hsieh@apple.com>
+
+ Make WebPasteboardProxy::didModifyContentsOfPasteboard robust when pasteboardName is null
+ https://bugs.webkit.org/show_bug.cgi?id=209848
+ <rdar://problem/61121810>
+
+ Reviewed by Megan Gardner and David Kilzer.
+
+ Add more IPC message checks in WebPasteboardProxy; see below for more detail.
+
+ * UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
+
+ Rename what is currently MESSAGE_CHECK to MESSAGE_CHECK_COMPLETION, and introduce two more message check macros:
+ MESSAGE_CHECK_WITH_RETURN_VALUE, which supports a return value, and MESSAGE_CHECK, which returns with no value.
+
+ (WebKit::WebPasteboardProxy::canAccessPasteboardData const):
+
+ Replace the early returns when pasteboardName is empty or when the web process for the given connection is null
+ with `MESSAGE_CHECK`s. When the web content process is well-behaved, these early returns should never be hit.
+
+ (WebKit::WebPasteboardProxy::didModifyContentsOfPasteboard):
+
+ Similarly, replace this early return with a message check, and additionally `MESSAGE_CHECK` when the pasteboard
+ name is empty. This addresses the main issue caught by this radar.
+
+ (WebKit::WebPasteboardProxy::setPasteboardBufferForType):
+
2020-04-01 Victor M. Jaquez <vjaquez@igalia.com>
Bump libwebrtc to M82
diff --git a/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm b/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
index 4e3aa88..d5eedef 100644
--- a/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
+++ b/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm
@@ -38,7 +38,9 @@
#import <WebCore/SharedBuffer.h>
#import <wtf/URL.h>
-#define MESSAGE_CHECK(assertion, completion) MESSAGE_CHECK_COMPLETION_BASE(assertion, (&connection), completion)
+#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, (&connection))
+#define MESSAGE_CHECK_WITH_RETURN_VALUE(assertion, returnValue) MESSAGE_CHECK_WITH_RETURN_VALUE_BASE(assertion, (&connection), returnValue)
+#define MESSAGE_CHECK_COMPLETION(assertion, completion) MESSAGE_CHECK_COMPLETION_BASE(assertion, (&connection), completion)
namespace WebKit {
using namespace WebCore;
@@ -73,14 +75,10 @@
bool WebPasteboardProxy::canAccessPasteboardData(IPC::Connection& connection, const String& pasteboardName) const
{
- if (pasteboardName.isEmpty()) {
- ASSERT_NOT_REACHED();
- return false;
- }
+ MESSAGE_CHECK_WITH_RETURN_VALUE(!pasteboardName.isEmpty(), false);
auto* process = webProcessProxyForConnection(connection);
- if (!process)
- return false;
+ MESSAGE_CHECK_WITH_RETURN_VALUE(process, false);
for (auto* page : process->pages()) {
auto& preferences = page->preferences();
@@ -106,9 +104,10 @@
void WebPasteboardProxy::didModifyContentsOfPasteboard(IPC::Connection& connection, const String& pasteboardName, int64_t previousChangeCount, int64_t newChangeCount)
{
+ MESSAGE_CHECK(!pasteboardName.isEmpty());
+
auto* process = webProcessProxyForConnection(connection);
- if (!process)
- return;
+ MESSAGE_CHECK(process);
auto changeCountAndProcesses = m_pasteboardNameToChangeCountAndProcessesMap.find(pasteboardName);
if (changeCountAndProcesses != m_pasteboardNameToChangeCountAndProcessesMap.end() && previousChangeCount == changeCountAndProcesses->value.first) {
@@ -300,7 +299,7 @@
}
// SharedMemory::Handle::size() is rounded up to the nearest page.
- MESSAGE_CHECK(size <= handle.size(), completionHandler(0));
+ MESSAGE_CHECK_COMPLETION(size <= handle.size(), completionHandler(0));
RefPtr<SharedMemory> sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
if (!sharedMemoryBuffer)