[GPU Process] Refactor some logic in StreamConnectionBuffer::decode()

https://bugs.webkit.org/show_bug.cgi?id=246219 rdar://84550136 Reviewed by Kimmo Kinnunen. Refactor some bounds checking around `StreamConnectionBuffer`. No change in behavior. * Source/WebKit/Platform/IPC/StreamConnectionBuffer.cpp: (IPC::StreamConnectionBuffer::StreamConnectionBuffer): (IPC::StreamConnectionBuffer::decode): * Source/WebKit/Platform/IPC/StreamConnectionBuffer.h: (IPC::StreamConnectionBuffer::sharedMemorySizeIsValid): Canonical link: https://commits.webkit.org/255286@main
WebKit · Oct 7, 2022 · 1b24ccb · 1b24ccb
1 parent 1838474
commit 1b24ccb
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 7 deletions.
diff --git a/Source/WebKit/Platform/IPC/StreamConnectionBuffer.cpp b/Source/WebKit/Platform/IPC/StreamConnectionBuffer.cpp
@@ -43,16 +43,14 @@ StreamConnectionBuffer::StreamConnectionBuffer(size_t memorySize)
     : m_dataSize(memorySize - headerSize())
     , m_sharedMemory(createMemory(memorySize))
 {
-    ASSERT(m_dataSize > 0);
-    ASSERT(m_dataSize <= maximumSize());
+    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(sharedMemorySizeIsValid(m_sharedMemory->size()));
 }
 
 StreamConnectionBuffer::StreamConnectionBuffer(Ref<WebKit::SharedMemory>&& memory)
     : m_dataSize(memory->size() - headerSize())
     , m_sharedMemory(WTFMove(memory))
 {
-    ASSERT(m_dataSize > 0);
-    ASSERT(m_dataSize <= maximumSize());
+    ASSERT(sharedMemorySizeIsValid(m_sharedMemory->size()));
 }
 
 StreamConnectionBuffer::StreamConnectionBuffer(StreamConnectionBuffer&& other) = default;
@@ -81,9 +79,7 @@ std::optional<StreamConnectionBuffer> StreamConnectionBuffer::decode(Decoder& de
     auto handle = decoder.decode<WebKit::SharedMemory::Handle>();
     if (UNLIKELY(!decoder.isValid()))
         return std::nullopt;
-    if (UNLIKELY(handle->size() <= headerSize()))
-        return std::nullopt;
-    if (UNLIKELY(handle->size() > headerSize() + maximumSize()))
+    if (UNLIKELY(!sharedMemorySizeIsValid(handle->size())))
         return std::nullopt;
     auto sharedMemory = WebKit::SharedMemory::map(*handle, WebKit::SharedMemory::Protection::ReadWrite);
     if (UNLIKELY(!sharedMemory))

diff --git a/Source/WebKit/Platform/IPC/StreamConnectionBuffer.h b/Source/WebKit/Platform/IPC/StreamConnectionBuffer.h
@@ -131,6 +131,8 @@ class StreamConnectionBuffer {
     Header& header() const { return *reinterpret_cast<Header*>(m_sharedMemory->data()); }
     static constexpr size_t headerSize() { return roundUpToMultipleOf<alignof(std::max_align_t)>(sizeof(Header)); }
 
+    static constexpr bool sharedMemorySizeIsValid(size_t size) { return headerSize() < size && size <= headerSize() + maximumSize(); }
+
     size_t m_dataSize { 0 };
     Ref<WebKit::SharedMemory> m_sharedMemory;
 };