[Webkit-unassigned] [Bug 199621] [WPE][GTK] UI process crash due to NULL dereference in webkitWebViewResourceLoadStarted()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jul 16 06:49:35 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=199621
--- Comment #6 from Michael Catanzaro <mcatanzaro at igalia.com> ---
Comment on attachment 374202
--> https://bugs.webkit.org/attachment.cgi?id=374202
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=374202&action=review
> Source/WebKit/UIProcess/API/glib/WebKitInjectedBundleClient.cpp:54
> API::UInt64* resourceIdentifier = static_cast<API::UInt64*>(message.get(String::fromUTF8("Identifier")));
> + ASSERT(resourceIdentifier);
> API::URLRequest* webRequest = static_cast<API::URLRequest*>(message.get(String::fromUTF8("Request")));
> + ASSERT(webRequest);
But this is exactly what I said we must not do. We can't trust web process messages: we have to validate them. A malicious web process shouldn't be able to crash the UI process, and a crash is what we're going to get if either of these are null.
I assume we can trust message.get to return either valid data or null.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190716/e7749a44/attachment.html>
More information about the webkit-unassigned
mailing list