Import WebKit commit 6d0ad27b6bc4209fb8d8cee2692dc0c6a5462051v5.212.0-alpha2

Change-Id: Ifdedb7bc3162434686201813dc1d994cf5ae7e70 Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
author: Konstantin Tokarev <annulen@yandex.ru> 2017-06-15 12:13:20 +0300
committer: Konstantin Tokarev <annulen@yandex.ru> 2017-06-17 10:46:54 +0000
commit: aab669a05f943c587f6acccd94d53a8544170c1c (patch)
tree: 2c22545100b500eb80d23f75b8e3180ed9b5f3b7 /Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp
parent: c119ecc79e19c630a8b1ef10fe01cc567901033f (diff)
download: qtwebkit-aab669a05f943c587f6acccd94d53a8544170c1c.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp b/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp
index 18d02cdd9..3902003f9 100644
--- a/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp
+++ b/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp
@@ -199,6 +199,11 @@ bool Connection::processMessage()
     memcpy(&messageInfo, messageData, sizeof(messageInfo));
     messageData += sizeof(messageInfo);
 
+    if (messageInfo.attachmentCount() > attachmentMaxAmount || (!messageInfo.isMessageBodyIsOutOfLine() && messageInfo.bodySize() > messageMaxSize)) {
+        ASSERT_NOT_REACHED();
+        return false;
+    }
+
     size_t messageLength = sizeof(MessageInfo) + messageInfo.attachmentCount() * sizeof(AttachmentInfo) + (messageInfo.isMessageBodyIsOutOfLine() ? 0 : messageInfo.bodySize());
     if (m_readBuffer.size() < messageLength)
         return false;
@@ -256,7 +261,7 @@ bool Connection::processMessage()
     if (messageInfo.isMessageBodyIsOutOfLine()) {
         ASSERT(messageInfo.bodySize());
 
-        if (attachmentInfo[attachmentCount].isNull()) {
+        if (attachmentInfo[attachmentCount].isNull() || attachmentInfo[attachmentCount].getSize() != messageInfo.bodySize()) {
             ASSERT_NOT_REACHED();
             return false;
         }
@@ -334,6 +339,10 @@ static ssize_t readBytesFromSocket(int socketDescriptor, Vector<uint8_t>& buffer
         struct cmsghdr* controlMessage;
         for (controlMessage = CMSG_FIRSTHDR(&message); controlMessage; controlMessage = CMSG_NXTHDR(&message, controlMessage)) {
             if (controlMessage->cmsg_level == SOL_SOCKET && controlMessage->cmsg_type == SCM_RIGHTS) {
+                if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > attachmentMaxAmount) {
+                    ASSERT_NOT_REACHED();
+                    break;
+                }
                 size_t previousFileDescriptorsSize = fileDescriptors.size();
                 size_t fileDescriptorsCount = (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int);
                 fileDescriptors.grow(fileDescriptors.size() + fileDescriptorsCount);
author	Konstantin Tokarev <annulen@yandex.ru>	2017-06-15 12:13:20 +0300
committer	Konstantin Tokarev <annulen@yandex.ru>	2017-06-17 10:46:54 +0000
commit	aab669a05f943c587f6acccd94d53a8544170c1c (patch)
tree	2c22545100b500eb80d23f75b8e3180ed9b5f3b7 /Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp
parent	c119ecc79e19c630a8b1ef10fe01cc567901033f (diff)
download	qtwebkit-aab669a05f943c587f6acccd94d53a8544170c1c.tar.gz