[Webkit-unassigned] [Bug 241547] New: Ignore badly encoded std::variant IPC messages.

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=241547

            Bug ID: 241547
           Summary: Ignore badly encoded std::variant IPC messages.
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jean-yves.avenard at apple.com
                CC: kkinnunen at apple.com

Seen in 241407 with the ipc/pasteboard-write-custom-data.html test

It sends a rubbish buffer over IPC and ensure that the decoder doesn't crash.

When using the std::variant<> decoder, the decoder performs a recursive call in order to decode the property type like so:

std::variant<T1,T2,T3> obj;

decode<std::variant<T1,T2,T3...>>()
    read std::variant's index into i.
    VariantCoder<2, Types...>::decode(decoder, *i);
        VariantCoder<1, Types...>::decode(decoder, *i);
            VariantCoder<0, Types...>::decode(decoder, *i);

If the encoded value of i is nonsensical, we will get into calling VariantCoder<0, Types...>::decode(decoder, *i);

We should exit early when we read the value of I if it's greater than the number of types en variant can contain.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220613/30f0add7/attachment.htm>