WebKit Bugzilla
Attachment 373655 Details for
Bug 199584
: Validate reply block signature in [WKRemoteObjectRegistry _invokeMethod]
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-199584-20190708121823.patch (text/plain), 2.70 KB, created by
Chris Dumez
on 2019-07-08 12:18:24 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Chris Dumez
Created:
2019-07-08 12:18:24 PDT
Size:
2.70 KB
patch
obsolete
>Subversion Revision: 247208 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 03ef68d1c17eda36b0d281685377e41ef4079f03..5022eda8c88800b0077072cf100cb130f107dd2d 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,17 @@ >+2019-07-08 Chris Dumez <cdumez@apple.com> >+ >+ Validate reply block signature in [WKRemoteObjectRegistry _invokeMethod] >+ https://bugs.webkit.org/show_bug.cgi?id=199584 >+ <rdar://problem/46268249> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Validate reply block signature in [WKRemoteObjectRegistry _invokeMethod] for robustness. >+ >+ * Shared/API/Cocoa/_WKRemoteObjectRegistry.mm: >+ (validateReplyBlockSignature): >+ (-[_WKRemoteObjectRegistry _invokeMethod:]): >+ > 2019-07-07 Antoine Quint <graouts@apple.com> > > [Pointer Events] touch-action should affect the behavior of pinch-to-zoom to show tabs in Safari >diff --git a/Source/WebKit/Shared/API/Cocoa/_WKRemoteObjectRegistry.mm b/Source/WebKit/Shared/API/Cocoa/_WKRemoteObjectRegistry.mm >index f35d9308b36a708fef7ab7e99b1791233950bdaa..7a523ca3e672b9bbb8508eff6a7885bb0bf174ee 100644 >--- a/Source/WebKit/Shared/API/Cocoa/_WKRemoteObjectRegistry.mm >+++ b/Source/WebKit/Shared/API/Cocoa/_WKRemoteObjectRegistry.mm >@@ -184,6 +184,19 @@ - (WebKit::RemoteObjectRegistry&)remoteObjectRegistry > return *_remoteObjectRegistry; > } > >+static bool validateReplyBlockSignature(NSMethodSignature *wireBlockSignature) >+{ >+ // The block should return a void. >+ if (strcmp(wireBlockSignature.methodReturnType, "v")) >+ return false; >+ >+ // First implicit argument of a block is always the block itself. >+ if (wireBlockSignature.numberOfArguments < 1 || strcmp([wireBlockSignature getArgumentTypeAtIndex:0], "@?")) >+ return false; >+ >+ return true; >+} >+ > - (void)_invokeMethod:(const WebKit::RemoteObjectInvocation&)remoteObjectInvocation > { > auto& interfaceIdentifier = remoteObjectInvocation.interfaceIdentifier(); >@@ -218,9 +231,14 @@ - (void)_invokeMethod:(const WebKit::RemoteObjectInvocation&)remoteObjectInvocat > continue; > > // We found the block. >- // FIXME: Validate the signature. > NSMethodSignature *wireBlockSignature = [NSMethodSignature signatureWithObjCTypes:replyInfo->blockSignature.utf8().data()]; > >+ // Validate the signature. >+ if (!validateReplyBlockSignature(wireBlockSignature)) { >+ NSLog(@"_invokeMethod: Failed to validate reply block signature: %@", wireBlockSignature._typeString); >+ continue; >+ } >+ > RetainPtr<_WKRemoteObjectRegistry> remoteObjectRegistry = self; > uint64_t replyID = replyInfo->replyID; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=373655">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 199584
:
373655
|
373728
|
373732