[webkit-changes] [WebKit/WebKit] 23f254: Limit untrusted allocations when decoding Vectors ...
EWS
noreply at github.com
Mon Feb 6 14:53:59 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 23f2542385a7ff667cd8d8b17b77a733203ac51f
https://github.com/WebKit/WebKit/commit/23f2542385a7ff667cd8d8b17b77a733203ac51f
Author: Alex Christensen <achristensen at webkit.org>
Date: 2023-02-06 (Mon, 06 Feb 2023)
Changed paths:
M Source/WebKit/Platform/IPC/ArgumentCoders.h
M Tools/TestWebKitAPI/Tests/IPC/ArgumentCoderTests.cpp
Log Message:
-----------
Limit untrusted allocations when decoding Vectors to 1MB
https://bugs.webkit.org/show_bug.cgi?id=251804
Reviewed by Kimmo Kinnunen.
257725 at main introduced a performance improvement where we only allocate exactly as much
memory as we need once when decoding a Vector. This is wonderful, but it introduced
allocation based on size from an untrusted source, making it so any message that sends
a Vector can be used to send a very large size_t and crash the other process. In this
PR I get the best of both worlds: if the total allocation size is less that 1MB then we
do the fast and efficient thing, but if it is more than 1MB we do the safe thing.
* Source/WebKit/Platform/IPC/ArgumentCoders.h:
Canonical link: https://commits.webkit.org/259917@main
More information about the webkit-changes
mailing list