[webkit-reviews] review granted: [Bug 209270] decodeCFData should check bufferIsLargeEnoughToContain before allocating a buffer : [Attachment 393943] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 18 22:36:41 PDT 2020
Darin Adler <darin at apple.com> has granted Fujii Hironori
<Hironori.Fujii at sony.com>'s request for review:
Bug 209270: decodeCFData should check bufferIsLargeEnoughToContain before
allocating a buffer
https://bugs.webkit.org/show_bug.cgi?id=209270
Attachment 393943: Patch
https://bugs.webkit.org/attachment.cgi?id=393943&action=review
--- Comment #2 from Darin Adler <darin at apple.com> ---
Comment on attachment 393943
--> https://bugs.webkit.org/attachment.cgi?id=393943
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=393943&action=review
> Source/WebCore/platform/network/cf/CertificateInfo.h:118
> + if
(!decoder.bufferIsLargeEnoughToContain<uint8_t>(static_cast<size_t>(size)))
This cast to size_t doesn’t look right, nor does the code below. If the size is
larger than what will fit in size_t, this will do the wrong thing. We can
clean up this mix of types. CFDataCreate takes an argument of a type called
CFIndex. So I think we need to write this:
if (size > std::numeric_limits<CFIndex>::max())
return false;
CFIndex length = size;
Then we should use length instead of static_cast<size_t>(size) in both places
that it appears.
More information about the webkit-reviews
mailing list