WebKit Bugzilla
Attachment 373732 Details for
Bug 199584
: Validate reply block signature in [WKRemoteObjectRegistry _invokeMethod]
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-199584-20190709105506.patch (text/plain), 3.50 KB, created by
Chris Dumez
on 2019-07-09 10:55:06 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Chris Dumez
Created:
2019-07-09 10:55:06 PDT
Size:
3.50 KB
patch
obsolete
>Subversion Revision: 247259 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 1ba70fea5d03f0d871b27db18228a6e5d54c5d15..a0a36354d8865fdd56e42e8c357b0c92fe57e971 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,17 @@ >+2019-07-09 Chris Dumez <cdumez@apple.com> >+ >+ Validate reply block signature in [WKRemoteObjectRegistry _invokeMethod] >+ https://bugs.webkit.org/show_bug.cgi?id=199584 >+ <rdar://problem/46268249> >+ >+ Reviewed by Geoffrey Garen. >+ >+ Validate reply block signature in [WKRemoteObjectRegistry _invokeMethod] for robustness. >+ >+ * Shared/API/Cocoa/_WKRemoteObjectRegistry.mm: >+ (validateReplyBlockSignature): >+ (-[_WKRemoteObjectRegistry _invokeMethod:]): >+ > 2019-07-08 Chris Dumez <cdumez@apple.com> > > Speculative fix for crashes under LocalStorageDatabaseTracker::databasePath() >diff --git a/Source/WebKit/Shared/API/Cocoa/_WKRemoteObjectRegistry.mm b/Source/WebKit/Shared/API/Cocoa/_WKRemoteObjectRegistry.mm >index f35d9308b36a708fef7ab7e99b1791233950bdaa..65da9eff01b43ea5710802f6c46a6d020265693e 100644 >--- a/Source/WebKit/Shared/API/Cocoa/_WKRemoteObjectRegistry.mm >+++ b/Source/WebKit/Shared/API/Cocoa/_WKRemoteObjectRegistry.mm >@@ -46,6 +46,7 @@ static const void* replyBlockKey = &replyBlockKey; > > @interface NSMethodSignature () > - (NSString *)_typeString; >+- (NSMethodSignature *)_signatureForBlockAtArgumentIndex:(NSInteger)idx; > @end > > NSString * const invocationKey = @"invocation"; >@@ -184,6 +185,28 @@ - (WebKit::RemoteObjectRegistry&)remoteObjectRegistry > return *_remoteObjectRegistry; > } > >+static bool validateReplyBlockSignature(NSMethodSignature *wireBlockSignature, Protocol *protocol, SEL selector, NSUInteger blockIndex) >+{ >+ // Required, non-inherited method: >+ const char* methodTypeEncoding = _protocol_getMethodTypeEncoding(protocol, selector, true, true); >+ // @optional, non-inherited method: >+ if (!methodTypeEncoding) >+ methodTypeEncoding = _protocol_getMethodTypeEncoding(protocol, selector, false, true); >+ >+ ASSERT(methodTypeEncoding); >+ if (!methodTypeEncoding) >+ return false; >+ >+ NSMethodSignature *targetMethodSignature = [NSMethodSignature signatureWithObjCTypes:methodTypeEncoding]; >+ ASSERT(targetMethodSignature); >+ if (!targetMethodSignature) >+ return false; >+ NSMethodSignature *expectedBlockSignature = [targetMethodSignature _signatureForBlockAtArgumentIndex:blockIndex]; >+ ASSERT(expectedBlockSignature); >+ >+ return [wireBlockSignature isEqual:expectedBlockSignature]; >+} >+ > - (void)_invokeMethod:(const WebKit::RemoteObjectInvocation&)remoteObjectInvocation > { > auto& interfaceIdentifier = remoteObjectInvocation.interfaceIdentifier(); >@@ -218,9 +241,14 @@ - (void)_invokeMethod:(const WebKit::RemoteObjectInvocation&)remoteObjectInvocat > continue; > > // We found the block. >- // FIXME: Validate the signature. > NSMethodSignature *wireBlockSignature = [NSMethodSignature signatureWithObjCTypes:replyInfo->blockSignature.utf8().data()]; > >+ if (!validateReplyBlockSignature(wireBlockSignature, [interface protocol], invocation.selector, i)) { >+ NSLog(@"_invokeMethod: Failed to validate reply block signature: %@", wireBlockSignature._typeString); >+ ASSERT_NOT_REACHED(); >+ continue; >+ } >+ > RetainPtr<_WKRemoteObjectRegistry> remoteObjectRegistry = self; > uint64_t replyID = replyInfo->replyID; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=373732">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 199584
:
373655
|
373728
| 373732