Make CacheStorageEngineCaches's decodeCachesNames() more robust against bad input data https://bugs.webkit.org/show_bug.cgi?id=201102 Reviewed by Antti Koivisto. Use Vector::tryReserveCapacity() instead of Vector::reserveInitialCapacity() in CacheStorage::decodeCachesNames() since the size is read from disk and thus cannot be trusted. If the size is too large, reserveInitialCapacity() would end up crashing the network process. Now, we merely discard the data if tryReserveCapacity() fails because the size is too large. * NetworkProcess/cache/CacheStorageEngineCaches.cpp: (WebKit::CacheStorage::decodeCachesNames): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@249087 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: ecdffc333b23493533925a6a80de25d9c41c5413 [log] [tgz]
author: cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat Aug 24 16:02:52 2019 +0000
committer: cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat Aug 24 16:02:52 2019 +0000
tree: ad58a8aaed81c73c0824031f71077ff2ad48928c
parent: 38e08aab37b2aab86aa372f1e3440d593c74e0fa [diff]
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
index c1544f9..951ec8e 100644
--- a/Source/WebKit/ChangeLog
+++ b/Source/WebKit/ChangeLog

@@ -1,3 +1,18 @@
+2019-08-24  Chris Dumez  <cdumez@apple.com>
+
+        Make CacheStorageEngineCaches's decodeCachesNames() more robust against bad input data
+        https://bugs.webkit.org/show_bug.cgi?id=201102
+
+        Reviewed by Antti Koivisto.
+
+        Use Vector::tryReserveCapacity() instead of Vector::reserveInitialCapacity() in CacheStorage::decodeCachesNames()
+        since the size is read from disk and thus cannot be trusted. If the size is too large, reserveInitialCapacity()
+        would end up crashing the network process. Now, we merely discard the data if tryReserveCapacity() fails because
+        the size is too large.
+
+        * NetworkProcess/cache/CacheStorageEngineCaches.cpp:
+        (WebKit::CacheStorage::decodeCachesNames):
+
 2019-08-23  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         [iOS] [WebKit2] Tapping on the “I’m” text suggestion after typing “i’” does nothing

diff --git a/Source/WebKit/NetworkProcess/cache/CacheStorageEngineCaches.cpp b/Source/WebKit/NetworkProcess/cache/CacheStorageEngineCaches.cpp
index 5a7be27..2387941 100644
--- a/Source/WebKit/NetworkProcess/cache/CacheStorageEngineCaches.cpp
+++ b/Source/WebKit/NetworkProcess/cache/CacheStorageEngineCaches.cpp

@@ -411,7 +411,9 @@
         return makeUnexpected(Error::ReadDisk);
 
     Vector<std::pair<String, String>> names;
-    names.reserveInitialCapacity(count);
+    if (!names.tryReserveCapacity(count))
+        return makeUnexpected(Error::ReadDisk);
+
     for (size_t index = 0; index < count; ++index) {
         String name;
         if (!decoder.decode(name))
commit	ecdffc333b23493533925a6a80de25d9c41c5413	[log] [tgz]
author	cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Sat Aug 24 16:02:52 2019 +0000
committer	cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Sat Aug 24 16:02:52 2019 +0000
tree	ad58a8aaed81c73c0824031f71077ff2ad48928c
parent	38e08aab37b2aab86aa372f1e3440d593c74e0fa [diff]