diff options
author | Liang Qi <liang.qi@qt.io> | 2017-07-04 15:29:25 +0200 |
---|---|---|
committer | Liang Qi <liang.qi@qt.io> | 2017-07-04 15:30:15 +0200 |
commit | db2ecc45564609f940ff564e777f76a1a4b734d4 (patch) | |
tree | d4756dffb486a2a1c64f13402bafd0327b7ddbb3 /Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp | |
parent | 8231f9776c2e4028937411bd2a0886aa72c97831 (diff) | |
parent | d10511e0a3f655ab2b1dfebfd9c17ade151a7cfe (diff) |
Merge remote-tracking branch 'origin/5.212' into dev
Change-Id: I006cd9023fadc5407bbaa2ddfda45cb8e88b548b
Diffstat (limited to 'Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp')
-rw-r--r-- | Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp b/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp index 18d02cdd9..3902003f9 100644 --- a/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp +++ b/Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp @@ -199,6 +199,11 @@ bool Connection::processMessage() memcpy(&messageInfo, messageData, sizeof(messageInfo)); messageData += sizeof(messageInfo); + if (messageInfo.attachmentCount() > attachmentMaxAmount || (!messageInfo.isMessageBodyIsOutOfLine() && messageInfo.bodySize() > messageMaxSize)) { + ASSERT_NOT_REACHED(); + return false; + } + size_t messageLength = sizeof(MessageInfo) + messageInfo.attachmentCount() * sizeof(AttachmentInfo) + (messageInfo.isMessageBodyIsOutOfLine() ? 0 : messageInfo.bodySize()); if (m_readBuffer.size() < messageLength) return false; @@ -256,7 +261,7 @@ bool Connection::processMessage() if (messageInfo.isMessageBodyIsOutOfLine()) { ASSERT(messageInfo.bodySize()); - if (attachmentInfo[attachmentCount].isNull()) { + if (attachmentInfo[attachmentCount].isNull() || attachmentInfo[attachmentCount].getSize() != messageInfo.bodySize()) { ASSERT_NOT_REACHED(); return false; } @@ -334,6 +339,10 @@ static ssize_t readBytesFromSocket(int socketDescriptor, Vector<uint8_t>& buffer struct cmsghdr* controlMessage; for (controlMessage = CMSG_FIRSTHDR(&message); controlMessage; controlMessage = CMSG_NXTHDR(&message, controlMessage)) { if (controlMessage->cmsg_level == SOL_SOCKET && controlMessage->cmsg_type == SCM_RIGHTS) { + if (controlMessage->cmsg_len < CMSG_LEN(0) || controlMessage->cmsg_len > attachmentMaxAmount) { + ASSERT_NOT_REACHED(); + break; + } size_t previousFileDescriptorsSize = fileDescriptors.size(); size_t fileDescriptorsCount = (controlMessage->cmsg_len - CMSG_LEN(0)) / sizeof(int); fileDescriptors.grow(fileDescriptors.size() + fileDescriptorsCount); |