Google Git
Sign in
webkit / WebKit / da72c99a8f0cfc82e049f021536a93d342112e71^! / .
commitda72c99a8f0cfc82e049f021536a93d342112e71[log] [tgz]
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Jan 17 00:54:06 2020 +0000
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Jan 17 00:54:06 2020 +0000
treeba3212002fb6f32960cab2e6af711ff4b96c0ccd
parent14c083a2defb41fd1e10502cb0358551801bf4b9 [diff]
IPC hardening for WebPageProxy::SetPromisedDataForImage message
https://bugs.webkit.org/show_bug.cgi?id=206380
<rdar://problem/58625196>

Reviewed by Geoffrey Garen.

IPC hardening for WebPageProxy::SetPromisedDataForImage message. Make sure the shared memory handle sent over IPC is not null
and null check the SharedMemory object after calling SharedMemory::map().

* UIProcess/mac/WebPageProxyMac.mm:
(WebKit::WebPageProxy::setPromisedDataForImage):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@254724 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index 76432ec..2bec080 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog

@@ -1,3 +1,17 @@
+2020-01-16  Chris Dumez  <cdumez@apple.com>
+
+        IPC hardening for WebPageProxy::SetPromisedDataForImage message
+        https://bugs.webkit.org/show_bug.cgi?id=206380
+        <rdar://problem/58625196>
+
+        Reviewed by Geoffrey Garen.
+
+        IPC hardening for WebPageProxy::SetPromisedDataForImage message. Make sure the shared memory handle sent over IPC is not null
+        and null check the SharedMemory object after calling SharedMemory::map().
+
+        * UIProcess/mac/WebPageProxyMac.mm:
+        (WebKit::WebPageProxy::setPromisedDataForImage):
+
 2020-01-16  Daniel Chen  <thedanielchen@apple.com>
 
         Call AtomString::init in WebKit2Initialize.

diff --git a/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm b/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm
index 82e005d..8ad2ba1 100644
--- a/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm
+++ b/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm

@@ -314,7 +314,12 @@
 {
     MESSAGE_CHECK_URL(url);
     MESSAGE_CHECK_URL(visibleURL);
+    MESSAGE_CHECK(!imageHandle.isNull());
+
     RefPtr<SharedMemory> sharedMemoryImage = SharedMemory::map(imageHandle, SharedMemory::Protection::ReadOnly);
+    if (!sharedMemoryImage)
+        return;
+
     auto imageBuffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryImage->data()), imageSize);
     RefPtr<SharedBuffer> archiveBuffer;