[Webkit-unassigned] [Bug 53617] New: uint64_t to size_t conversion can lead to unexpected behavior in CoreIPC

Wed Feb 2 12:17:20 PST 2011

https://bugs.webkit.org/show_bug.cgi?id=53617

           Summary: uint64_t to size_t conversion can lead to unexpected
                    behavior in CoreIPC
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: NeedsRadar
          Severity: Normal
          Priority: P2
         Component: WebKit2
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: aroben at apple.com
                CC: darin at apple.com, andersca at apple.com

If a function like ArgumentDecoder::decodeBytes [1] decodes a size greater than std::numeric_limits<size_t>::max(), we'll end up calling buffer.resize(0) and then trying to memcpy 0 bytes into the null buffer. This is very strange behavior, and probably unexpected.

It would likely be better to detect the overflow and just bail out.

1. http://trac.webkit.org/browser/trunk/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp?rev=77378#L95

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.