[Webkit-unassigned] [Bug 199621] [WPE][GTK] UI process crash due to NULL dereference in webkitWebViewResourceLoadStarted()

Tue Jul 9 13:00:30 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=199621

--- Comment #2 from Michael Catanzaro <mcatanzaro at igalia.com> ---
(In reply to Milan Crha from comment #0)
>  * There are at least two bugs here: first that the web process is sending
> an invalid frame, second that this crashes the UI process. The UI process
> must be robust to a malicious web process sending invalid messages.

The first bug is going to require some investigation.

For the second bug, basically all of WebKitInjectedBundleClient in WebKitInjectedBundleClient.cpp is missing validation to ensure API::Dictionary::get is returning valid pointers. E.g.:

        if (g_str_equal(messageName, "DidInitiateLoadForResource")) {
            WebFrameProxy* frame = static_cast<WebFrameProxy*>(message.get(String::fromUTF8("Frame")));
            API::UInt64* resourceIdentifier = static_cast<API::UInt64*>(message.get(String::fromUTF8("Identifier")));
            API::URLRequest* webRequest = static_cast<API::URLRequest*>(message.get(String::fromUTF8("Request")));
            GRefPtr<WebKitURIRequest> request = adoptGRef(webkitURIRequestCreateForResourceRequest(webRequest->resourceRequest()));

            webkitWebViewResourceLoadStarted(webView, frame, resourceIdentifier->value(), request.get());

Here we crash because we fail to check that frame is not null, but it could just as easily have been webRequest or request. Point is to make sure the UI process survives even if the web process is evil and intentionally sends bad messages.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190709/8e7ca50e/attachment.html>