LibIPC: Break from message parsing if whole message payload is not ready

Fixes the bug when we try to read message payload without checking if we received enough bytes or file descriptors.
Author: https://github.com/kalenikaliaksandr Commit: ac643aa392 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/4271
2025-06-10 10:01:13 +09:00 · 2025-04-07 18:22:04 +02:00 · 2025-04-07 18:22:04 +02:00 · ac643aa392 · 2025-04-07 18:26:57 +00:00
commit ac643aa392
parent 1d9e226206
2 changed files with 7 additions and 1 deletions
--- a/Libraries/LibIPC/TransportSocket.cpp
+++ b/Libraries/LibIPC/TransportSocket.cpp
@ -152,9 +152,13 @@ TransportSocket::ShouldShutdown TransportSocket::read_as_many_messages_as_possib
    }

    size_t index = 0;
-    while (index + sizeof(MessageHeader) < m_unprocessed_bytes.size()) {
+    while (index + sizeof(MessageHeader) <= m_unprocessed_bytes.size()) {
        MessageHeader header;
        memcpy(&header, m_unprocessed_bytes.data() + index, sizeof(MessageHeader));
+        if (header.size + sizeof(MessageHeader) > m_unprocessed_bytes.size() - index)
+            break;
+        if (header.fd_count > m_unprocessed_fds.size())
+            break;
        Message message;
        for (size_t i = 0; i < header.fd_count; ++i)
            message.fds.append(m_unprocessed_fds.dequeue());