Bug 209131

Summary: Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size)
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, darin
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 209132, 209133, 209219, 209270    
Bug Blocks:    

Description Fujii Hironori 2020-03-15 23:23:34 PDT 
Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size)

(In reply to Darin Adler from bug #207324 comment #5)
> 
> I see the same mistake in:
> 
> 1) decodeCFData in CertificateInfo.h
> 2) AuthenticatorResponseData::decode where it also uses ArrayBuffer::create
> but should be using ArrayBuffer::tryCreate
> 3) SerializedScriptValue::decode
> 4) decodeSharedBuffer and decodeTypesAndData in WebCoreArgumentCoders.cpp
> 
> We need someone to fix all of those. May not be as easy to write tests for
> those.

Let's fix them.
Comment 1 Brent Fulgham 2022-06-30 17:03:17 PDT 
All subtasks are complete. Closing!