[webkit-changes] [WebKit/WebKit] 9cf3ea: IPC deserialization: Clip IntRect rather than fail...

Abrar Rahman Protyasha noreply at github.com
Wed Oct 18 17:49:33 PDT 2023


  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 9cf3ea6461529a8a721197cc381b0d6e90813686
      https://github.com/WebKit/WebKit/commit/9cf3ea6461529a8a721197cc381b0d6e90813686
  Author: Abrar Rahman Protyasha <a_protyasha at apple.com>
  Date:   2023-10-18 (Wed, 18 Oct 2023)

  Changed paths:
    A LayoutTests/security/clip-invalid-rect-2-expected.txt
    A LayoutTests/security/clip-invalid-rect-2.html
    A LayoutTests/security/clip-invalid-rect-expected.txt
    A LayoutTests/security/clip-invalid-rect.html
    M Source/WebCore/platform/graphics/IntRect.cpp
    M Source/WebCore/platform/graphics/IntRect.h
    M Source/WebKit/Shared/EditorState.cpp
    M Source/WebKit/Shared/EditorState.h
    M Source/WebKit/Shared/RemoteLayerTree/RemoteScrollingCoordinatorTransaction.cpp
    M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm

  Log Message:
  -----------
  IPC deserialization: Clip IntRect rather than fail to decode entirely
https://bugs.webkit.org/show_bug.cgi?id=258222
rdar://109925899
Reviewed by Chris Dumez.

We hardened IntRect decoding by using IntRect::isValid as a validator in
262412 at main, however this has the inadvertent effect of terminating a
sending process if they send a degenerately large IntRect (i.e. one that
overflows at x + width or y + height and thus fails IntRect::isValid).

The messages with degerate rects reposinble for recently reported
deserialization crashes are namely `WebPageProxy::RootViewToScreen`,
`WebPageProxy::EditorStateChanged`,
`RemoteLayerTreeDrawingAreaProxy::CommitLayerTree`, and
`WebPageProxy::MouseDidMoveOverElement`. In this patch, we suggest
clipping the IntRect at the IPC sender call-site, thereby avoiding
overflow issues and not crashing the sending process. For the
`EditorState` case, it makes more sense to sanitize the owned rects in
`WebPage::editorState()`, which is a layer before the IPC sender
call-site.

* LayoutTests/security/clip-invalid-rect-expected.txt: Added.
* LayoutTests/security/clip-invalid-rect.html: Added.
* LayoutTests/security/clip-invalid-rect-2-expected.txt: Added.
* LayoutTests/security/clip-invalid-rect-2.html: Added.
Layout tests that crash trying to decode degenerate IntRect messages.

* Source/WebCore/platform/graphics/IntRect.cpp:
(WebCore::IntRect::toRectWithExtentsClippedToNumericLimits const):
* Source/WebCore/platform/graphics/IntRect.h:
Add a function that returns an IntRect with clipped size such that there
is no int32_t overflow at x + width or y + height.

* Source/WebKit/Shared/EditorState.cpp:
* Source/WebKit/Shared/EditorState.h:
(WebKit::EditorState::clipOwnedRectExtentsToNumericLimits):
Add a function that performs clipping of the rects owned by an EditorState
object.

* Source/WebKit/Shared/RemoteLayerTree/RemoteScrollingCoordinatorTransaction.cpp:
Drive-by fix to improve readability of a conditional directive.

* Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp:
(WebKit::WebChromeClient::mouseDidMoveOverElement):
Perform `IntRect` clipping before sending a `MouseDidMoveOverElement` IPC
message.

* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::editorState const):
Perform `IntRect` clipping for all the rects owned by an EditorState,
thus sanitizing both the `EditorStateChanged` and the `CommitLayerTree`
IPC messages.
(WebKit::WebPage::rootViewToScreen):
Perform `IntRect` clipping before sending a `RootViewToScreen` IPC
message.

* Source/WebKit/WebProcess/WebPage/mac/WebPageMac.mm:
(WebKit::WebPage::performImmediateActionHitTestAtLocation):
Perform `IntRect` clipping before sending a `MouseDidMoveOverElement` IPC
message.

Canonical link: https://commits.webkit.org/265870.4@safari-7616-branch

Canonical link: https://commits.webkit.org/269494@main




More information about the webkit-changes mailing list