Bug 209131 - Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size)
Summary: Don't allocate a buffer with the decoded size without ensuring bufferIsLargeE...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on: 209132 209133 209219 209270
Blocks:
  Show dependency treegraph
 
Reported: 2020-03-15 23:23 PDT by Fujii Hironori
Modified: 2022-06-30 17:03 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Fujii Hironori 2020-03-15 23:23:34 PDT 
Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size)

(In reply to Darin Adler from bug #207324 comment #5)
> 
> I see the same mistake in:
> 
> 1) decodeCFData in CertificateInfo.h
> 2) AuthenticatorResponseData::decode where it also uses ArrayBuffer::create
> but should be using ArrayBuffer::tryCreate
> 3) SerializedScriptValue::decode
> 4) decodeSharedBuffer and decodeTypesAndData in WebCoreArgumentCoders.cpp
> 
> We need someone to fix all of those. May not be as easy to write tests for
> those.

Let's fix them.
Comment 1 Brent Fulgham 2022-06-30 17:03:17 PDT 
All subtasks are complete. Closing!