From 114407780ae6018ba20d20a4d908c24e02323dab Mon Sep 17 00:00:00 2001 From: Chirag M Shah Date: Fri, 16 Dec 2022 11:18:20 -0800 Subject: [PATCH] Guard against overflow when growing the buffer rdar://problem/103000322 Reviewed by Jonathan Bedard and Chris Dumez. * Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp: (WebKit::HistoryEntryDataEncoder::grow): (WebKit::HistoryEntryDataEncoder::growCapacity): Canonical link: https://commits.webkit.org/252432.954@safari-7614-branch --- .../UIProcess/mac/LegacySessionStateCoding.cpp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp b/Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp index d468e1139b25..fc05536db8ac 100644 --- a/Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp +++ b/Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp @@ -29,6 +29,7 @@ #include "APIData.h" #include "SessionState.h" #include +#include #include #include #include @@ -224,11 +225,14 @@ class HistoryEntryDataEncoder { { size_t alignedSize = ((m_bufferSize + alignment - 1) / alignment) * alignment; - growCapacity(alignedSize + size); + Checked bufferSize = size; + bufferSize += alignedSize; + + growCapacity(bufferSize.value()); std::memset(m_buffer.get() + m_bufferSize, 0, alignedSize - m_bufferSize); - m_bufferSize = alignedSize + size; + m_bufferSize = bufferSize.value(); m_bufferPointer = m_buffer.get() + m_bufferSize; return m_buffer.get() + alignedSize; @@ -239,12 +243,12 @@ class HistoryEntryDataEncoder { if (newSize <= m_bufferCapacity) return; - size_t newCapacity = m_bufferCapacity * 2; + Checked newCapacity = m_bufferCapacity; while (newCapacity < newSize) - newCapacity *= 2; + newCapacity *= 2U; - m_buffer.realloc(newCapacity); - m_bufferCapacity = newCapacity; + m_buffer.realloc(newCapacity.value()); + m_bufferCapacity = newCapacity.value(); } size_t m_bufferSize;