[IPC] Fail BackForwardItemIdentifier decoding if the decoded integer is not a valid ID
https://bugs.webkit.org/show_bug.cgi?id=204920
<rdar://problem/57677453>
Reviewed by Ryosuke Niwa.
Source/WebCore:
* history/BackForwardItemIdentifier.h:
(WebCore::BackForwardItemIdentifier::decode):
Source/WebKit:
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::willGoToBackForwardListItem):
(WebKit::WebPageProxy::backForwardGoToItemShared):
* UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::updateBackForwardItem):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@253181 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 8ac26df..7670d4e 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,14 @@
+2019-12-05 Chris Dumez <cdumez@apple.com>
+
+ [IPC] Fail BackForwardItemIdentifier decoding if the decoded integer is not a valid ID
+ https://bugs.webkit.org/show_bug.cgi?id=204920
+ <rdar://problem/57677453>
+
+ Reviewed by Ryosuke Niwa.
+
+ * history/BackForwardItemIdentifier.h:
+ (WebCore::BackForwardItemIdentifier::decode):
+
2019-12-05 Sihui Liu <sihui_liu@apple.com>
Move InProcessIDBServer to WebKitLegacy
diff --git a/Source/WebCore/history/BackForwardItemIdentifier.h b/Source/WebCore/history/BackForwardItemIdentifier.h
index 31cfbe1..547491c 100644
--- a/Source/WebCore/history/BackForwardItemIdentifier.h
+++ b/Source/WebCore/history/BackForwardItemIdentifier.h
@@ -90,7 +90,10 @@
if (!itemIdentifier)
return WTF::nullopt;
- return { { WTFMove(*processIdentifier), WTFMove(*itemIdentifier) } };
+ BackForwardItemIdentifier result = { WTFMove(*processIdentifier), WTFMove(*itemIdentifier) };
+ if (!result.isValid())
+ return WTF::nullopt;
+ return result;
}
inline unsigned BackForwardItemIdentifier::hash() const
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index cdcfaa1..1dfc22a 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog
@@ -1,3 +1,17 @@
+2019-12-05 Chris Dumez <cdumez@apple.com>
+
+ [IPC] Fail BackForwardItemIdentifier decoding if the decoded integer is not a valid ID
+ https://bugs.webkit.org/show_bug.cgi?id=204920
+ <rdar://problem/57677453>
+
+ Reviewed by Ryosuke Niwa.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::willGoToBackForwardListItem):
+ (WebKit::WebPageProxy::backForwardGoToItemShared):
+ * UIProcess/WebProcessProxy.cpp:
+ (WebKit::WebProcessProxy::updateBackForwardItem):
+
2019-12-05 Sihui Liu <sihui_liu@apple.com>
Move InProcessIDBServer to WebKitLegacy
diff --git a/Source/WebKit/UIProcess/WebPageProxy.cpp b/Source/WebKit/UIProcess/WebPageProxy.cpp
index 35cd3ac..efc82e8 100644
--- a/Source/WebKit/UIProcess/WebPageProxy.cpp
+++ b/Source/WebKit/UIProcess/WebPageProxy.cpp
@@ -1573,8 +1573,6 @@
void WebPageProxy::willGoToBackForwardListItem(const BackForwardItemIdentifier& itemID, bool inBackForwardCache)
{
- MESSAGE_CHECK(m_process, itemID.isValid());
-
PageClientProtector protector(pageClient());
if (auto* item = m_backForwardList->itemForID(itemID))
@@ -5927,8 +5925,6 @@
void WebPageProxy::backForwardGoToItemShared(Ref<WebProcessProxy>&& process, const BackForwardItemIdentifier& itemID, CompletionHandler<void(SandboxExtension::Handle&&)>&& completionHandler)
{
- MESSAGE_CHECK(process, itemID.isValid());
-
auto* item = m_backForwardList->itemForID(itemID);
if (!item)
return completionHandler({ });
diff --git a/Source/WebKit/UIProcess/WebProcessProxy.cpp b/Source/WebKit/UIProcess/WebProcessProxy.cpp
index 08a39a3..37dd5e9 100644
--- a/Source/WebKit/UIProcess/WebProcessProxy.cpp
+++ b/Source/WebKit/UIProcess/WebProcessProxy.cpp
@@ -627,8 +627,6 @@
void WebProcessProxy::updateBackForwardItem(const BackForwardListItemState& itemState)
{
- MESSAGE_CHECK(itemState.identifier.isValid());
-
auto* item = WebBackForwardListItem::itemForID(itemState.identifier);
if (!item || !isAllowedToUpdateBackForwardItem(*item))
return;
