145608 2015-06-03 09:58:54 -0700 Fix strncpy use in WebCore::Text::formatForDebugger 2019-02-06 09:03:58 -0800 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) PC Linux RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=145596 https://bugs.webkit.org/show_bug.cgi?id=145283 P2 Major --- 1 mcatanzaro webkit-unassigned cdumez cfleizach commit-queue darin ddkilzer esprehn+autocc gyuyoung.kim kangil.han mcatanzaro oldest_to_newest 1099175 0 mcatanzaro 2015-06-03 09:58:54 -0700 r185137 replaced a call to strncpy with a call to strlcpy, which broke the build on Linux since strlcpy does not exist there. r185148 reverted this to use strncpy again, but got the size argument off by one, introducing a buffer overrun. 1099178 1 254184 mcatanzaro 2015-06-03 10:06:03 -0700 Created attachment 254184 Patch 1099285 2 254184 darin 2015-06-03 14:30:16 -0700 Comment on attachment 254184 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=254184&action=review > Source/WebCore/dom/Text.cpp:238 > - strncpy(buffer, result.toString().utf8().data(), length); > + strncpy(buffer, result.toString().utf8().data(), length - 1); This helpful but not a complete fix. As explained in man pages the world over, using strncpy for this purpose requires: strncpy(buffer, input, length - 1); buffer[length - 1] = '\0'; We normally prefer strlcpy for that reason, but not sure if strlcpy is available on all the platforms we care about. 1099286 3 darin 2015-06-03 14:30:48 -0700 I see, we switched back from strlcpy to this. Please use strncpy the right way, then. 1099484 4 mcatanzaro 2015-06-04 08:15:29 -0700 (In reply to comment #2) > This helpful but not a complete fix. Thanks for catching this; I will land with that fixed. (In reply to comment #2) > We normally prefer strlcpy for that reason, but not sure if strlcpy is > available on all the platforms we care about. Here's an article about why strlcpy is not available on Linux: https://lwn.net/Articles/612244/ 1099488 5 254266 mcatanzaro 2015-06-04 09:14:25 -0700 Created attachment 254266 Patch 1099491 6 mcatanzaro 2015-06-04 09:20:11 -0700 Is it typical to assign issues like these to the security product? I will do so, as a precaution. 1099545 7 254266 commit-queue 2015-06-04 11:25:17 -0700 Comment on attachment 254266 Patch Rejecting attachment 254266 from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.appspot.com', '--bot-id=webkit-cq-02', 'apply-attachment', '--no-update', '--non-interactive', 254266, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Last 500 characters of output: nts_and_execute return self.execute(options, args, tool) or 0 File "/Volumes/Data/EWS/WebKit/Tools/Scripts/webkitpy/tool/commands/download.py", line 173, in execute bugs_to_patches = self._collect_patches_by_bug(patches) File "/Volumes/Data/EWS/WebKit/Tools/Scripts/webkitpy/tool/commands/download.py", line 165, in _collect_patches_by_bug bugs_to_patches[patch.bug_id()] = bugs_to_patches.get(patch.bug_id(), []) + [patch] AttributeError: 'NoneType' object has no attribute 'bug_id' Full output: http://webkit-queues.appspot.com/results/6374772183138304 1099557 8 mcatanzaro 2015-06-04 12:12:20 -0700 'webkit-patch land' is hanging for me, so I don't know how to land this. :) 1099972 9 darin 2015-06-05 14:46:13 -0700 Dave Kilzer, maybe you can help Michael get this patch landed? 1100197 10 mcatanzaro 2015-06-07 11:21:59 -0700 I also tried 'webkit-patch land-cowhand' which also hung. webkit-patch used to work for me. Due to time commitments on another project, I won't debug further. I don't mind much, as I normally just use the cq+ Bugzilla flag, but I guess that maybe doesn't work for security product bugs. 1100272 11 darin 2015-06-07 17:50:29 -0700 While it’s OK to treat this the way we treat some security bugs since it does involve a buffer overrun in theory, I don’t think it’s critical to have it inside the hidden component. 1100278 12 254266 commit-queue 2015-06-07 18:40:06 -0700 Comment on attachment 254266 Patch Clearing flags on attachment: 254266 Committed r185309: <http://trac.webkit.org/changeset/185309> 1100279 13 commit-queue 2015-06-07 18:40:09 -0700 All reviewed patches have been landed. Closing bug. 1503075 14 lforschler 2019-02-06 09:03:58 -0800 Mass moving XML DOM bugs to the "DOM" Component. 254184 2015-06-03 10:06:03 -0700 2015-06-04 09:14:19 -0700 Patch bug-145608-20150603120543.patch text/plain 1526 mcatanzaro U3VidmVyc2lvbiBSZXZpc2lvbjogMTg1MTUxCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYzFlODUzM2ViNzA1MjIx NjkxMWJmMmU1YTJiMGFkODlmZmY0MDExYi4uMzA2ZGZmZjMzOTlkNjkxZTdlM2JlNmQ1ZTQyNjFh YWQxMThhNTUxNyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE3IEBACisyMDE1LTA2LTAzICBNaWNo YWVsIENhdGFuemFybyAgPG1jYXRhbnphcm9AaWdhbGlhLmNvbT4KKworICAgICAgICBGaXggc3Ry bmNweSB1c2UgaW4gV2ViQ29yZTo6VGV4dDo6Zm9ybWF0Rm9yRGVidWdnZXIKKyAgICAgICAgaHR0 cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE0NTYwOAorCisgICAgICAgIFJl dmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIHIxODUxMzcgcmVwbGFjZWQgYSBj YWxsIHRvIHN0cm5jcHkgd2l0aCBhIGNhbGwgdG8gc3RybGNweSwgd2hpY2ggYnJva2UgdGhlIGJ1 aWxkIG9uIExpbnV4CisgICAgICAgIHNpbmNlIHN0cmxjcHkgZG9lcyBub3QgZXhpc3QgdGhlcmUu IHIxODUxNDggcmV2ZXJ0ZWQgdGhpcyB0byB1c2Ugc3RybmNweSBhZ2FpbiwgYnV0IGdvdCB0aGUK KyAgICAgICAgc2l6ZSBhcmd1bWVudCBvZmYgYnkgb25lLCBpbnRyb2R1Y2luZyBhIGJ1ZmZlciBv dmVycnVuLgorCisgICAgICAgICogZG9tL1RleHQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6VGV4 dDo6Zm9ybWF0Rm9yRGVidWdnZXIpOgorCiAyMDE1LTA2LTAzICBYYWJpZXIgUm9kcmlndWV6IENh bHZhciAgPGNhbHZhcmlzQGlnYWxpYS5jb20+IGFuZCBZb3Vlbm4gRmFibGV0IDx5b3Vlbm4uZmFi bGV0QGNyZi5jYW5vbi5mcj4KIAogICAgICAgICBbU3RyZWFtcyBBUEldIFJlYWRhYmxlU3RyZWFt UmVhZGVyOjpjbG9zZWQoKSBzaG91bGQgYmUgY2FsbGVkIG9uY2UgYnkgYmluZGluZyBjb2RlCmRp ZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9kb20vVGV4dC5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9k b20vVGV4dC5jcHAKaW5kZXggMjM2Zjg5ZDJiMWZiNDY2YjA4MjkyYTkwZjAzNGQ4MzFmMzNkNzUx OS4uZDUyNzcxMzdjNTBlYTQyZjE2OWJiMzM2NjNmMDJlNjZjNDQ0MDZjNyAxMDA2NDQKLS0tIGEv U291cmNlL1dlYkNvcmUvZG9tL1RleHQuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL2RvbS9UZXh0 LmNwcApAQCAtMjM1LDcgKzIzNSw3IEBAIHZvaWQgVGV4dDo6Zm9ybWF0Rm9yRGVidWdnZXIoY2hh ciogYnVmZmVyLCB1bnNpZ25lZCBsZW5ndGgpIGNvbnN0CiAgICAgICAgIHJlc3VsdC5hcHBlbmQo JyInKTsKICAgICB9CiAKLSAgICBzdHJuY3B5KGJ1ZmZlciwgcmVzdWx0LnRvU3RyaW5nKCkudXRm OCgpLmRhdGEoKSwgbGVuZ3RoKTsKKyAgICBzdHJuY3B5KGJ1ZmZlciwgcmVzdWx0LnRvU3RyaW5n KCkudXRmOCgpLmRhdGEoKSwgbGVuZ3RoIC0gMSk7CiB9CiAjZW5kaWYKIAo= 254266 2015-06-04 09:14:25 -0700 2015-06-07 18:40:06 -0700 Patch bug-145608-20150604111403.patch text/plain 1643 mcatanzaro U3VidmVyc2lvbiBSZXZpc2lvbjogMTg1MTk5CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNDgwOWFkNGQ4MTY0YjY3 ZjYyOTIzNTQwOGZkMjg0ZWRmYzQyOTU5NC4uNDI4ZGY3ZGQ0NGY2ZDM2MmM3YWFkMjczMTBjNmRl MDk5MzZjOTA0ZCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE5IEBACisyMDE1LTA2LTA0ICBNaWNo YWVsIENhdGFuemFybyAgPG1jYXRhbnphcm9AaWdhbGlhLmNvbT4KKworICAgICAgICBGaXggc3Ry bmNweSB1c2UgaW4gV2ViQ29yZTo6VGV4dDo6Zm9ybWF0Rm9yRGVidWdnZXIKKyAgICAgICAgaHR0 cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE0NTYwOAorCisgICAgICAgIFJl dmlld2VkIGJ5IERhcmluIEFkbGVyLgorCisgICAgICAgIHIxODUxMzcgcmVwbGFjZWQgYSBjYWxs IHRvIHN0cm5jcHkgd2l0aCBhIGNhbGwgdG8gc3RybGNweSwgd2hpY2ggYnJva2UgdGhlIGJ1aWxk IG9uIExpbnV4CisgICAgICAgIHNpbmNlIHN0cmxjcHkgZG9lcyBub3QgZXhpc3QgdGhlcmUuIHIx ODUxNDggcmV2ZXJ0ZWQgdGhpcyB0byB1c2Ugc3RybmNweSBhZ2FpbiwgYnV0IGdvdCB0aGUKKyAg ICAgICAgc2l6ZSBhcmd1bWVudCBvZmYgYnkgb25lLCAiaW50cm9kdWNpbmciIGEgYnVmZmVyIG92 ZXJydW4uIEJ1dCB0aGlzIGNvZGUgaGFzIGFsd2F5cyBiZWVuCisgICAgICAgIHdyb25nLCBzaW5j ZSBpdCB1c2VkIHN0cm5jcHkgd2l0aG91dCBlbnN1cmluZyB0aGF0IHRoZSBidWZmZXIgaXMgbnVs bC10ZXJtaW5hdGVkIGFmdGVyIHRoZQorICAgICAgICBjYWxsIHRvIHN0cm5jcHkuIEZpeCB0aGlz IGFzIHdlbGwuCisKKyAgICAgICAgKiBkb20vVGV4dC5jcHA6CisgICAgICAgIChXZWJDb3JlOjpU ZXh0Ojpmb3JtYXRGb3JEZWJ1Z2dlcik6CisKIDIwMTUtMDYtMDMgIENhcmxvcyBBbGJlcnRvIExv cGV6IFBlcmV6ICA8Y2xvcGV6QGlnYWxpYS5jb20+CiAKICAgICAgICAgW0dUS10gW1dheWxhbmRd IEJ1aWxkIGlzIGJyb2tlbiBvbiB0cnVuawpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvZG9t L1RleHQuY3BwIGIvU291cmNlL1dlYkNvcmUvZG9tL1RleHQuY3BwCmluZGV4IDIzNmY4OWQyYjFm YjQ2NmIwODI5MmE5MGYwMzRkODMxZjMzZDc1MTkuLjQzZDk2YjE4NzNlNWUxNzgxZjNjMzRlNzYx YzI0OTEzMjk3NjUxNWQgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2RvbS9UZXh0LmNwcAor KysgYi9Tb3VyY2UvV2ViQ29yZS9kb20vVGV4dC5jcHAKQEAgLTIzNSw3ICsyMzUsOCBAQCB2b2lk IFRleHQ6OmZvcm1hdEZvckRlYnVnZ2VyKGNoYXIqIGJ1ZmZlciwgdW5zaWduZWQgbGVuZ3RoKSBj b25zdAogICAgICAgICByZXN1bHQuYXBwZW5kKCciJyk7CiAgICAgfQogCi0gICAgc3RybmNweShi dWZmZXIsIHJlc3VsdC50b1N0cmluZygpLnV0ZjgoKS5kYXRhKCksIGxlbmd0aCk7CisgICAgc3Ry bmNweShidWZmZXIsIHJlc3VsdC50b1N0cmluZygpLnV0ZjgoKS5kYXRhKCksIGxlbmd0aCAtIDEp OworICAgIGJ1ZmZlcltsZW5ndGggLSAxXSA9ICdcMCc7CiB9CiAjZW5kaWYKIAo=