From cd1fcbe5856a440ffdb75f3436b822f9af6b9d3e Mon Sep 17 00:00:00 2001 From: Chris Dumez Date: Wed, 18 Jan 2023 14:49:50 -0800 Subject: [PATCH] Cherry-pick 252432.1035@safari-7614-branch (b9851bb36465). https://bugs.webkit.org/show_bug.cgi?id=250722 IPC hardening for MediaConstraint subclasses https://bugs.webkit.org/show_bug.cgi?id=250722 rdar://103012405 Reviewed by Jonathan Bedard and David Kilzer. Make sure we validate the constraint type whenever we IPC-deserialize a MediaConstraint subclass. * Source/WebCore/platform/mediastream/MediaConstraints.h: (WebCore::NumericConstraint::decode): (WebCore::StringConstraint::decode): Canonical link: https://commits.webkit.org/252432.1035@safari-7614-branch --- .../WebCore/platform/mediastream/MediaConstraints.h | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/Source/WebCore/platform/mediastream/MediaConstraints.h b/Source/WebCore/platform/mediastream/MediaConstraints.h index d98c7afab341..30a3027ed0d7 100644 --- a/Source/WebCore/platform/mediastream/MediaConstraints.h +++ b/Source/WebCore/platform/mediastream/MediaConstraints.h @@ -351,7 +351,14 @@ class NumericConstraint : public MediaConstraint { { if (!MediaConstraint::decode(decoder, constraint)) return false; - + static_assert(std::is_same_v || std::is_same_v); + if constexpr(std::is_same_v) { + if (!constraint.isInt()) + return false; + } else if constexpr(std::is_same_v) { + if (!constraint.isDouble()) + return false; + } if (!decoder.decode(constraint.m_min)) return false; if (!decoder.decode(constraint.m_max)) @@ -525,6 +532,8 @@ class BooleanConstraint final : public MediaConstraint { { if (!MediaConstraint::decode(decoder, constraint)) return false; + if (!constraint.isBoolean()) + return false; if (!decoder.decode(constraint.m_exact)) return false; @@ -611,6 +620,8 @@ class StringConstraint : public MediaConstraint { { if (!MediaConstraint::decode(decoder, constraint)) return false; + if (!constraint.isString()) + return false; if (!decoder.decode(constraint.m_exact)) return false;