145596 2015-06-02 23:08:25 -0700 [EFL][GTK] Fix build error since r185137 2015-06-03 17:15:56 -0700 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=145608 P2 Normal --- 145283 1 hyungwook.lee gyuyoung.kim commit-queue d_russell esprehn+autocc gyuyoung.kim kangil.han mcatanzaro oldest_to_newest 1099078 0 hyungwook.lee 2015-06-02 23:08:25 -0700 r185137 used strlcpy() even though it is not standardized by POSIX. It caused build break on GTK and EFL port's debug build. To fix it, let's use strncpy() in Text.cpp. 1099079 1 254154 gyuyoung.kim 2015-06-02 23:10:25 -0700 Created attachment 254154 Patch 1099083 2 254154 commit-queue 2015-06-02 23:13:35 -0700 Comment on attachment 254154 Patch Rejecting attachment 254154 from commit-queue. hyungwook.lee@navercorp.com does not have committer permissions according to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/contributors.json. - If you do not have committer rights please read http://webkit.org/coding/contributing.html for instructions on how to use bugzilla flags. - If you have committer rights please correct the error in Tools/Scripts/webkitpy/common/config/contributors.json by adding yourself to the file (no review needed). The commit-queue restarts itself every 2 hours. After restart the commit-queue will correctly respect your committer rights. 1099086 3 gyuyoung.kim 2015-06-02 23:17:44 -0700 I uploaded this patch instead of Hyungwook. 1099104 4 254154 gyuyoung.kim 2015-06-02 23:59:10 -0700 Comment on attachment 254154 Patch Clearing flags on attachment: 254154 Committed r185148: <http://trac.webkit.org/changeset/185148> 1099105 5 gyuyoung.kim 2015-06-02 23:59:17 -0700 All reviewed patches have been landed. Closing bug. 1099149 6 mcatanzaro 2015-06-03 08:05:59 -0700 I think this is a buffer overflow; it should be strncpy(buffer, result.toString().utf8().data(), length - 1) as it was prior to r185137. From strcpy(3): strlcpy() Some systems (the BSDs, Solaris, and others) provide the following function: size_t strlcpy(char *dest, const char *src, size_t size); This function is similar to strncpy(), but it copies at most size-1 bytes to dest, always adds a terminating null byte, and does not pad the target with (further) null bytes. This function fixes some of the problems of strcpy() and strncpy(), but the caller must still handle the possibility of data loss if size is too small. The return value of the function is the length of src, which allows truncation to be easily detected: if the return value is greater than or equal to size, trunca‐ tion occurred. If loss of data matters, the caller must either check the arguments before the call, or test the function return value. strlcpy() is not present in glibc and is not standardized by POSIX, but is available on Linux via the libbsd library. 1099176 7 mcatanzaro 2015-06-03 09:59:07 -0700 Let's use bug #145608 1099327 8 gyuyoung.kim 2015-06-03 17:15:56 -0700 (In reply to comment #6) > I think this is a buffer overflow; it should be strncpy(buffer, > result.toString().utf8().data(), length - 1) as it was prior to r185137. > > From strcpy(3): > > strlcpy() > Some systems (the BSDs, Solaris, and others) provide the > following > function: > > size_t strlcpy(char *dest, const char *src, size_t size); > > This function is similar to strncpy(), but it copies at most > size-1 > bytes to dest, always adds a terminating null byte, and does not > pad > the target with (further) null bytes. This function fixes some of > the > problems of strcpy() and strncpy(), but the caller must still > handle > the possibility of data loss if size is too small. The return value > of > the function is the length of src, which allows truncation to be > easily > detected: if the return value is greater than or equal to size, > trunca‐ > tion occurred. If loss of data matters, the caller must either > check > the arguments before the call, or test the function return > value. > strlcpy() is not present in glibc and is not standardized by POSIX, > but > is available on Linux via the libbsd library. Oh, thank you for your fix. 254154 2015-06-02 23:10:25 -0700 2015-06-02 23:59:10 -0700 Patch bug-145596-20150603151005.patch text/plain 1199 gyuyoung.kim U3VidmVyc2lvbiBSZXZpc2lvbjogMTg1MTM3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggY2E0YWMzMWUyZDE2YWVi MGUxOGMwZDYwMzVlZWZjYTBhOTI3MTc1Zi4uMDJmMjAzY2I0MTNjMzMzOTk0MmRjMmQyMDJmYzNm OTBkNTE2YjE4ZSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDEzIEBACisyMDE1LTA2LTAyICBHeXV5 b3VuZyBLaW0gIDxneXV5b3VuZy5raW1Ad2Via2l0Lm9yZz4KKworICAgICAgICBbRUZMXVtHVEtd IEZpeCBidWlsZCBlcnJvciBzaW5jZSByMTg1MTM3CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNDU1OTYKKworICAgICAgICBVbnJldmlld2VkLCBmaXgg YnVpbGQgYnJlYWsgb24gRUZMIGFuZCBHVEsgcG9ydC4KKworICAgICAgICAqIGRvbS9UZXh0LmNw cDoKKyAgICAgICAgKFdlYkNvcmU6OlRleHQ6OmZvcm1hdEZvckRlYnVnZ2VyKTogVXNlIHN0cm5j cHkoKSBpbnN0ZWFkIG9mIHN0cmxjcHkoKS4KKwogMjAxNS0wNi0wMiAgRG91ZyBSdXNzZWxsICA8 ZF9ydXNzZWxsQGFwcGxlLmNvbT4KIAogICAgICAgICBBWDogZGVidWdnaW5nIGF0dHJpYnV0ZXMg Zm9yIHRleHQgbWFya2VycwpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvZG9tL1RleHQuY3Bw IGIvU291cmNlL1dlYkNvcmUvZG9tL1RleHQuY3BwCmluZGV4IDk3MGYxMmRjYWQwODRjZDM0N2Fi YWViNzhmNWZjZmFmYzQ0ZTNmMjkuLjIzNmY4OWQyYjFmYjQ2NmIwODI5MmE5MGYwMzRkODMxZjMz ZDc1MTkgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2RvbS9UZXh0LmNwcAorKysgYi9Tb3Vy Y2UvV2ViQ29yZS9kb20vVGV4dC5jcHAKQEAgLTIzNSw3ICsyMzUsNyBAQCB2b2lkIFRleHQ6OmZv cm1hdEZvckRlYnVnZ2VyKGNoYXIqIGJ1ZmZlciwgdW5zaWduZWQgbGVuZ3RoKSBjb25zdAogICAg ICAgICByZXN1bHQuYXBwZW5kKCciJyk7CiAgICAgfQogCi0gICAgc3RybGNweShidWZmZXIsIHJl c3VsdC50b1N0cmluZygpLnV0ZjgoKS5kYXRhKCksIGxlbmd0aCk7CisgICAgc3RybmNweShidWZm ZXIsIHJlc3VsdC50b1N0cmluZygpLnV0ZjgoKS5kYXRhKCksIGxlbmd0aCk7CiB9CiAjZW5kaWYK IAo=