Bug 12081 - Crash in Windows cookie code if cookies change between calls
Summary: Crash in Windows cookie code if cookies change between calls
Status: RESOLVED WONTFIX
Alias: None
Product: WebKit
Classification: Unclassified
Component: Platform (show other bugs)
Version: 420+
Hardware: PC Windows XP
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-02 13:25 PST by Brett Wilson (Google)
Modified: 2017-02-28 20:38 PST (History)
5 users (show)

See Also:

Attachments
Patch to CookieJarWin.cpp (1.93 KB, patch)
2007-01-02 13:31 PST, Brett Wilson (Google) 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brett Wilson (Google) 2007-01-02 13:25:39 PST 
in CookieJarWin.cpp, we call InternetGetCookie to get the length of the buffer, then call it again once a buffer of the correct size has been constructed. However, the cookies can change between these values if another process (or possibly some other cases, I'm not sure) changes the cookies for the page between these calls.

In particular, if the cookies are deleted, we will make a string of length -1, causing a crash. If more cookies are added, the returned cookies will be truncated.
Comment 1 Brett Wilson (Google) 2007-01-02 13:31:00 PST 
Created attachment 12172 [details]
Patch to CookieJarWin.cpp

This patch requests the cookies in a loop until the buffer is large enough to hold the cookies. As long as the length of the cookies doesn't grow monotonically, this  will terminate.
Comment 2 Brett Wilson (Google) 2007-01-21 11:32:37 PST 
This patch still causes crashes. InternetGetCookie is buggy and will write one past the end of the buffer on ERROR_INVALID_PARAMETER. At the top of the loop:
  count = cookieBuffer.size() - 1;
and at the bottom, we need:
  cookieBuffer.resize(count + 1);
to compensate.
Comment 3 Alexey Proskuryakov 2007-07-15 01:13:13 PDT 
Is this still a problem?
Comment 4 Brett Wilson (Google) 2007-08-02 08:53:53 PDT 
In Safari on Windows, this is not a problem. CookieJarWin.cpp is still in the tree, though, and it still has this bug, it just isn't used by anybody. Probably that file should just be deleted.
Comment 5 Adam Roben (:aroben) 2007-08-02 11:59:24 PDT 
(In reply to comment #4)
> In Safari on Windows, this is not a problem. CookieJarWin.cpp is still in the
> tree, though, and it still has this bug, it just isn't used by anybody.
> Probably that file should just be deleted.

A patch to delete that file (and others not currently being used) would be welcome. There's no point keeping unused files in trunk, and they can always be resurrected from an old revision if desired.
Comment 6 Brett Wilson (Google) 2007-12-20 11:22:15 PST 
It looks like this file is now used by the new Windows port. The buggy code is still there, though.
Comment 7 Adam Roben (:aroben) 2008-01-02 06:50:24 PST 
(In reply to comment #6)
> It looks like this file is now used by the new Windows port. The buggy code is
> still there, though.

...but it sounds like we haven't seen this to be a problem in practice with the CFNetwork cookies implementation. Would still be nice to fix sometime, but it's not urgent.
Comment 8 Basuke Suzuki 2017-02-28 15:01:48 PST 
Based on https://trac.webkit.org/changeset/176672 , this bug is no longer valid.