[WK2] Make sure encodeClientTypesAndData() / decodeClientTypesAndData() match exactly
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 25 Jun 2017 00:07:17 +0000 (00:07 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 25 Jun 2017 00:07:17 +0000 (00:07 +0000)
https://bugs.webkit.org/show_bug.cgi?id=173813

Reviewed by Ryosuke Niwa.

Make sure encodeClientTypesAndData() / decodeClientTypesAndData() match exactly. The previous
IPC encoder code would assume types and data vector have the same length. It would first encode
the length of data using |data.size()| but then would encode types.size() values from the
data vector. While there are debug assertions to ensure both vectors have the same size, this
seems unnecessarily fragile in release builds. If both vectors happen to have different sizes,
this will lead to weird IPC bugs.

* Shared/WebCoreArgumentCoders.cpp:
(IPC::encodeClientTypesAndData):
(IPC::decodeClientTypesAndData):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@218791 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/Shared/WebCoreArgumentCoders.cpp

index 503b0c6..f96be9c 100644 (file)
@@ -1,3 +1,21 @@
+2017-06-24  Chris Dumez  <cdumez@apple.com>
+
+        [WK2] Make sure encodeClientTypesAndData() / decodeClientTypesAndData() match exactly
+        https://bugs.webkit.org/show_bug.cgi?id=173813
+
+        Reviewed by Ryosuke Niwa.
+
+        Make sure encodeClientTypesAndData() / decodeClientTypesAndData() match exactly. The previous
+        IPC encoder code would assume types and data vector have the same length. It would first encode
+        the length of data using |data.size()| but then would encode types.size() values from the
+        data vector. While there are debug assertions to ensure both vectors have the same size, this
+        seems unnecessarily fragile in release builds. If both vectors happen to have different sizes,
+        this will lead to weird IPC bugs.
+
+        * Shared/WebCoreArgumentCoders.cpp:
+        (IPC::encodeClientTypesAndData):
+        (IPC::decodeClientTypesAndData):
+
 2017-06-24  Michael Catanzaro  <mcatanzaro@igalia.com>
 
         [GTK] Introspection: webkit_web_view_new_with_related_view needs to be marked as a constructor
index 9be4976..08dba10 100644 (file)
@@ -1430,8 +1430,8 @@ static void encodeClientTypesAndData(Encoder& encoder, const Vector<String>& typ
     ASSERT(types.size() == data.size());
     encoder << types;
     encoder << static_cast<uint64_t>(data.size());
-    for (size_t i = 0, size = types.size(); i < size; ++i)
-        encodeSharedBuffer(encoder, data[i].get());
+    for (auto& buffer : data)
+        encodeSharedBuffer(encoder, buffer.get());
 }
 
 static bool decodeClientTypesAndData(Decoder& decoder, Vector<String>& types, Vector<RefPtr<SharedBuffer>>& data)
@@ -1439,15 +1439,15 @@ static bool decodeClientTypesAndData(Decoder& decoder, Vector<String>& types, Ve
     if (!decoder.decode(types))
         return false;
 
-    uint64_t clientDataSize;
-    if (!decoder.decode(clientDataSize))
+    uint64_t dataSize;
+    if (!decoder.decode(dataSize))
         return false;
 
-    if (clientDataSize)
-        data.resize(clientDataSize);
+    ASSERT(dataSize == types.size());
 
-    for (size_t i = 0; i < clientDataSize; i++)
-        decodeSharedBuffer(decoder, data[i]);
+    data.resize(dataSize);
+    for (auto& buffer : data)
+        decodeSharedBuffer(decoder, buffer);
 
     return true;
 }