189462 2018-09-09 03:15:04 -0700 [GStreamer] use-after-free in MockVideoCaptureSource 2018-09-11 01:21:27 -0700 1 1 1 Unclassified WebKit Platform WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 pnormand pnormand calvaris ews-watchlist tsaunier webkit-bug-importer oldest_to_newest 1458015 0 pnormand 2018-09-09 03:15:04 -0700 With ASan enabled, run-webkit-tests --gtk --debug http/tests/media/media-stream/getusermedia-with-canvas.html I think the issue is that the wrapper gst buffer created takes full ownership of BGRA data Vector, so the next call to updateSampleBuffer() might lead to reading an invalid pointer. ==6262==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fa9f4e78800 at pc 0x7faa92ca14ae bp 0x7fa9f3f0c0a0 sp 0x7fa9f3f0b850 READ of size 2560 at 0x7fa9f4e78800 thread T34 (multiqueue0:src) #0 0x7faa92ca14ad (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3f4ad) #1 0x7faa69b35f55 in gst_video_scaler_2d /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/video-scaler.c:1473 #2 0x7faa69b2b452 in convert_plane_hv_task /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/video-converter.c:5712 #3 0x7faa69b13c50 in gst_parallelized_task_runner_run /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/video-converter.c:298 #4 0x7faa69b2b8df in convert_plane_hv /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/video-converter.c:5776 #5 0x7faa69b2b94c in convert_scale_planes /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/video-converter.c:5789 #6 0x7faa69b1b4b6 in gst_video_converter_frame /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/video-converter.c:2646 #7 0x7faa17aebe4c in gst_video_convert_transform_frame /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst/videoconvert/gstvideoconvert.c:714 #8 0x7faa69b37f9c in gst_video_filter_transform /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/gstvideofilter.c:272 #9 0x7faa69e7b8c7 in default_generate_output /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/libs/gst/base/gstbasetransform.c:2132 #10 0x7faa69e7bf46 in gst_base_transform_chain /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/libs/gst/base/gstbasetransform.c:2285 #11 0x7faa69d50b49 in gst_pad_chain_data_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4320 #12 0x7faa69d517a6 in gst_pad_push_data /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4576 #13 0x7faa69d51f0d in gst_pad_push /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4695 #14 0x7faa69d31dea in gst_proxy_pad_chain_default /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstghostpad.c:127 #15 0x7faa69d50b49 in gst_pad_chain_data_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4320 #16 0x7faa69d517a6 in gst_pad_push_data /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4576 #17 0x7faa69d51f0d in gst_pad_push /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4695 #18 0x7faa1704cb5a in gst_stream_synchronizer_sink_chain /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst/playback/gststreamsynchronizer.c:711 #19 0x7faa69d50b49 in gst_pad_chain_data_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4320 #20 0x7faa69d517a6 in gst_pad_push_data /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4576 #21 0x7faa69d51f0d in gst_pad_push /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4695 #22 0x7faa69d31dea in gst_proxy_pad_chain_default /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstghostpad.c:127 #23 0x7faa69d50b49 in gst_pad_chain_data_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4320 #24 0x7faa69d517a6 in gst_pad_push_data /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4576 #25 0x7faa69d51f0d in gst_pad_push /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4695 #26 0x7faa17a73723 in gst_concat_sink_chain /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/plugins/elements/gstconcat.c:454 #27 0x7faa69d50b49 in gst_pad_chain_data_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4320 #28 0x7faa69d517a6 in gst_pad_push_data /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4576 #29 0x7faa69d51f0d in gst_pad_push /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4695 #30 0x7faa69d31dea in gst_proxy_pad_chain_default /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstghostpad.c:127 #31 0x7faa69d50b49 in gst_pad_chain_data_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4320 #32 0x7faa69d517a6 in gst_pad_push_data /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4576 #33 0x7faa69d51f0d in gst_pad_push /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4695 #34 0x7faa69d31dea in gst_proxy_pad_chain_default /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstghostpad.c:127 #35 0x7faa69d50b49 in gst_pad_chain_data_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4320 #36 0x7faa69d517a6 in gst_pad_push_data /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4576 #37 0x7faa69d51f0d in gst_pad_push /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4695 #38 0x7faa17a980a7 in gst_single_queue_push_one /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/plugins/elements/gstmultiqueue.c:1643 #39 0x7faa17a99acd in gst_multi_queue_loop /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/plugins/elements/gstmultiqueue.c:1963 #40 0x7faa69d8cf47 in gst_task_func /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gsttask.c:332 #41 0x7faa69d8e10f in default_func /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gsttaskpool.c:69 #42 0x7faa68e36932 in g_thread_pool_thread_proxy /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gthreadpool.c:307 #43 0x7faa68e35fd4 in g_thread_proxy /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gthread.c:784 #44 0x7faa92c48f29 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7f29) #45 0x7faa6726cede in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xf7ede) 0x7fa9f4e78800 is located 0 bytes inside of 1228800-byte region [0x7fa9f4e78800,0x7fa9f4fa4800) freed by thread T0 here: #0 0x7faa92d4ab50 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8b50) #1 0x7faa71c5d9f5 in bmalloc::DebugHeap::free(void*) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57e89f5) #2 0x7faa71c5cf7d in bmalloc::Deallocator::deallocateSlowCase(void*) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57e7f7d) #3 0x7faa84474552 in bmalloc::Deallocator::deallocate(void*) (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xfbb2552) #4 0x7faa84474700 in bmalloc::Cache::deallocate(bmalloc::HeapKind, void*) (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xfbb2700) #5 0x7faa844747be in bmalloc::api::free(void*, bmalloc::HeapKind) (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xfbb27be) #6 0x7faa71b42f88 in WTF::fastFree(void*) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x56cdf88) #7 0x7faa8098a16b in WTF::FastMalloc::free(void*) (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xc0c816b) #8 0x7faa81d3fefb in WTF::MallocPtr<unsigned char, WTF::FastMalloc>::~MallocPtr() (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xd47defb) #9 0x7faa874d81a8 in WebCore::WrappedMockRealtimeVideoSource::updateSampleBuffer() (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x12c161a8) #10 0x7faa85ecfa2c in WebCore::MockRealtimeVideoSource::generateFrame() (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x1160da2c) #11 0x7faa85ee6b94 in WTF::RunLoop::Timer<WebCore::MockRealtimeVideoSource>::fired() (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x11624b94) #12 0x7faa71c47349 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::operator()(void*) const (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57d2349) #13 0x7faa71c473d4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57d23d4) #14 0x7faa71c462d5 in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57d12d5) #15 0x7faa71c46305 in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57d1305) #16 0x7faa68e0f8d7 in g_main_dispatch /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3148 #17 0x7faa68e0f8d7 in g_main_context_dispatch /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3813 previously allocated by thread T0 here: #0 0x7faa92d4aed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0) #1 0x7faa71c5d777 in bmalloc::DebugHeap::malloc(unsigned long) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57e8777) #2 0x7faa71c58b16 in bmalloc::Allocator::allocateSlowCase(unsigned long) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57e3b16) #3 0x7faa71b43c51 in bmalloc::Allocator::allocate(unsigned long) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x56cec51) #4 0x7faa71b43d8c in bmalloc::Cache::allocate(bmalloc::HeapKind, unsigned long) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x56ced8c) #5 0x7faa71b44025 in bmalloc::api::malloc(unsigned long, bmalloc::HeapKind) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x56cf025) #6 0x7faa71b42b0c in WTF::fastMalloc(unsigned long) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x56cdb0c) #7 0x7faa8031faef in WTF::VectorBufferBase<unsigned char>::allocateBuffer(unsigned long) (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xba5daef) #8 0x7faa80325a0b in WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul>::reserveCapacity(unsigned long) (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xba63a0b) #9 0x7faa8031fd2b in WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long) (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xba5dd2b) #10 0x7faa80a4e2a0 in unsigned char const* WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity<unsigned char const>(unsigned long, unsigned char const*) (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xc18c2a0) #11 0x7faa80a4784c in void WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul>::append<unsigned char>(unsigned char const*, unsigned long) (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xc18584c) #12 0x7faa85cfce7a in WebCore::ImageBuffer::toBGRAData() const (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x1143ae7a) #13 0x7faa874d7ec3 in WebCore::WrappedMockRealtimeVideoSource::updateSampleBuffer() (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x12c15ec3) #14 0x7faa85ecfa2c in WebCore::MockRealtimeVideoSource::generateFrame() (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x1160da2c) #15 0x7faa85ee6b94 in WTF::RunLoop::Timer<WebCore::MockRealtimeVideoSource>::fired() (/home/phil/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x11624b94) #16 0x7faa71c47349 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::operator()(void*) const (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57d2349) #17 0x7faa71c473d4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57d23d4) #18 0x7faa71c462d5 in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57d12d5) #19 0x7faa71c46305 in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (/home/phil/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x57d1305) #20 0x7faa68e0f8d7 in g_main_dispatch /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3148 #21 0x7faa68e0f8d7 in g_main_context_dispatch /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3813 Thread T34 (multiqueue0:src) created by T32 (appsrc1:src) here: #0 0x7faa92cabef0 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x49ef0) #1 0x7faa68e533bf in g_system_thread_new /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gthread-posix.c:1170 Thread T32 (appsrc1:src) created by T0 here: #0 0x7faa92cabef0 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x49ef0) #1 0x7faa68e533bf in g_system_thread_new /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gthread-posix.c:1170 SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3f4ad) Shadow bytes around the buggy address: 0x0ff5be9c70b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff5be9c70c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff5be9c70d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff5be9c70e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff5be9c70f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0ff5be9c7100:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ff5be9c7110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ff5be9c7120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ff5be9c7130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ff5be9c7140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0ff5be9c7150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6262==ABORTING 1458016 1 349285 pnormand 2018-09-09 03:43:03 -0700 Created attachment 349285 Patch 1458017 2 ews-watchlist 2018-09-09 03:46:32 -0700 Attachment 349285 did not pass style-queue: ERROR: Source/WebCore/ChangeLog:3: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: use-after-free [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style. 1458019 3 349285 tsaunier 2018-09-09 05:51:30 -0700 Comment on attachment 349285 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=349285&action=review If we don't have choice but memcpy, ok, I would rather avoid it though. > Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp:-53 > - auto gstsample = gst_sample_new(gst_buffer_new_wrapped(static_cast<guint8*>(data.releaseBuffer().get()), size), I think data.releaseBuffer().get() was giving us ownership of the data, am I wrong? I know it is for testing only but this introduces a big memcpy that we should avoid fmpov. 1458020 4 pnormand 2018-09-09 06:36:37 -0700 (In reply to Thibault Saunier from comment #3) > Comment on attachment 349285 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=349285&action=review > > If we don't have choice but memcpy, ok, I would rather avoid it though. > > > Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp:-53 > > - auto gstsample = gst_sample_new(gst_buffer_new_wrapped(static_cast<guint8*>(data.releaseBuffer().get()), size), > > I think data.releaseBuffer().get() was giving us ownership of the data, am I > wrong? I know it is for testing only but this introduces a big memcpy that > we should avoid fmpov. Hum yeah it should be possible to avoid the memcpy... It seems the issue is actually related with the MallocPtr returned by releaseBuffer(). I'll try another approach with gst_buffer_wrapped_full()... 1458021 5 pnormand 2018-09-09 07:06:47 -0700 Right now I don't see how to avoid the memcpy because I don't see how to avoid the MallocPtr destruction, that class has no refcount management... The problem is that the MallocPtr is destroyed when the scope ends, leaving the gst sample with an invalid pointer. 1458022 6 tsaunier 2018-09-09 07:19:42 -0700 (In reply to Philippe Normand from comment #5) > Right now I don't see how to avoid the memcpy because I don't see how to > avoid the MallocPtr destruction, that class has no refcount management... > > The problem is that the MallocPtr is destroyed when the scope ends, leaving > the gst sample with an invalid pointer. OK, then if there is no way to give ownership of MallocPtr to the GstBuffer, let's memcopy. Informal r+ for me. 1458102 7 349285 calvaris 2018-09-10 01:45:28 -0700 Comment on attachment 349285 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=349285&action=review >>> Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp:-53 >>> - auto gstsample = gst_sample_new(gst_buffer_new_wrapped(static_cast<guint8*>(data.releaseBuffer().get()), size), >> >> I think data.releaseBuffer().get() was giving us ownership of the data, am I wrong? I know it is for testing only but this introduces a big memcpy that we should avoid fmpov. > > Hum yeah it should be possible to avoid the memcpy... It seems the issue is actually related with the MallocPtr returned by releaseBuffer(). I'll try another approach with gst_buffer_wrapped_full()... From what understand there, the problem of this line is data.releaseBuffer() returns a MallocPtr and get() gets that pointer that is passed to gst_buffer_new_wrapped. The problem happens when that MallocPtr goes out of scope just after running the get() so that pointer we pass with [transfer full] disappears with ~MallocPtr. I think what we want here is to do data.releaseBuffer().leakPtr() which will "leak" the pointer directly into the gst_buffer_new_wrapper [transfer full]. Am I missing anything here? 1458108 8 349303 pnormand 2018-09-10 02:19:42 -0700 Created attachment 349303 Patch 1458109 9 ews-watchlist 2018-09-10 02:22:12 -0700 Attachment 349303 did not pass style-queue: ERROR: Source/WebCore/ChangeLog:3: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: use-after-free [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style. 1458115 10 349303 calvaris 2018-09-10 03:29:37 -0700 Comment on attachment 349303 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=349303&action=review > Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp:58 > + auto gstSample = adoptGRef(gst_sample_new(gst_buffer_new_wrapped(data.releaseBuffer().leakPtr(), > + size), caps.get(), nullptr, nullptr)); I think we're leaking the buffer here. gst_buffer_new_wrapped is [transfer full] and gst_sample_new receives [transfer none]. 1458116 11 349303 calvaris 2018-09-10 03:30:14 -0700 Comment on attachment 349303 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=349303&action=review > Source/WebCore/ChangeLog:3 > + [GStreamer] use-after-free in MockVideoCaptureSource And please, honor the style checker here ;) 1458117 12 pnormand 2018-09-10 03:40:48 -0700 (In reply to Xabier Rodríguez Calvar from comment #11) > Comment on attachment 349303 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=349303&action=review > > > Source/WebCore/ChangeLog:3 > > + [GStreamer] use-after-free in MockVideoCaptureSource > > And please, honor the style checker here ;) For this specific issue I see no reason to, because: - This issue is specific to the test infrastructure, mock sources are not exposed - The whole mediastream feature isn't shipped yet beyond developer builds. 1458142 13 349313 pnormand 2018-09-10 09:54:48 -0700 Created attachment 349313 Patch 1458144 14 pnormand 2018-09-10 09:56:27 -0700 (In reply to Xabier Rodríguez Calvar from comment #7) > Comment on attachment 349285 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=349285&action=review > > >>> Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp:-53 > >>> - auto gstsample = gst_sample_new(gst_buffer_new_wrapped(static_cast<guint8*>(data.releaseBuffer().get()), size), > >> > >> I think data.releaseBuffer().get() was giving us ownership of the data, am I wrong? I know it is for testing only but this introduces a big memcpy that we should avoid fmpov. > > > > Hum yeah it should be possible to avoid the memcpy... It seems the issue is actually related with the MallocPtr returned by releaseBuffer(). I'll try another approach with gst_buffer_wrapped_full()... > > From what understand there, the problem of this line is data.releaseBuffer() > returns a MallocPtr and get() gets that pointer that is passed to > gst_buffer_new_wrapped. The problem happens when that MallocPtr goes out of > scope just after running the get() so that pointer we pass with [transfer > full] disappears with ~MallocPtr. I think what we want here is to do > data.releaseBuffer().leakPtr() which will "leak" the pointer directly into > the gst_buffer_new_wrapper [transfer full]. > > Am I missing anything here? This looks good in theory but doesn't work in practice. I don't know why and don't plan to debug this further. I think that we can live with a memcpy here for this code specific to the testing infrastructure. 1458145 15 ews-watchlist 2018-09-10 09:56:38 -0700 Attachment 349313 did not pass style-queue: ERROR: Source/WebCore/ChangeLog:3: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: use-after-free [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style. 1458408 16 349313 calvaris 2018-09-10 22:45:06 -0700 Comment on attachment 349313 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=349313&action=review > Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp:57 > + auto buffer = adoptGRef(gst_buffer_new_wrapped(g_memdup(data.releaseBuffer().leakPtr(), size), size)); If you do a g_memdup you shouldn't leakPtr() but get(). 1458428 17 pnormand 2018-09-11 01:20:37 -0700 Committed r235890: <https://trac.webkit.org/changeset/235890> 1458429 18 webkit-bug-importer 2018-09-11 01:21:27 -0700 <rdar://problem/44334490> 349285 2018-09-09 03:43:03 -0700 2018-09-10 02:19:38 -0700 Patch bug-189462-20180909114302.patch text/plain 3154 pnormand U3VidmVyc2lvbiBSZXZpc2lvbjogMjM1ODI3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZGZmZjQxNzVmOWVmNWNh MzdhMTE0N2Y2MTFkMTI0NGNiNWM4NWE4MC4uYjcwZGE1Y2QxZjcyODA1NWZlMWE0ZjUyYzgxMTZl NjI0MGI2OTQxMiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDE4LTA5LTA5ICBQaGls aXBwZSBOb3JtYW5kICA8cG5vcm1hbmRAaWdhbGlhLmNvbT4KKworICAgICAgICBbR1N0cmVhbWVy XSB1c2UtYWZ0ZXItZnJlZSBpbiBNb2NrVmlkZW9DYXB0dXJlU291cmNlCisgICAgICAgIGh0dHBz Oi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xODk0NjIKKworICAgICAgICBSZXZp ZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIHBsYXRmb3JtL21lZGlhc3RyZWFt L2dzdHJlYW1lci9Nb2NrR1N0cmVhbWVyVmlkZW9DYXB0dXJlU291cmNlLmNwcDoKKyAgICAgICAg KFdlYkNvcmU6OldyYXBwZWRNb2NrUmVhbHRpbWVWaWRlb1NvdXJjZTo6dXBkYXRlU2FtcGxlQnVm ZmVyKToKKyAgICAgICAgQ29weSB0aGUgQkdSQSBkYXRhIGJlZm9yZSBwYXNzaW5nIG93bmVyc2hp cCB0byBHU3RyZWFtZXIuIEFsc28KKyAgICAgICAgaW5jbHVkZSBhIGZldyBjb2RlIHN0eWxlIGNv c21ldGljIGNoYW5nZXMuCisKIDIwMTgtMDktMDcgIEZ1amlpIEhpcm9ub3JpICA8SGlyb25vcmku RnVqaWlAc29ueS5jb20+CiAKICAgICAgICAgW1dpbl1bQ2xhbmddIGV4Y2VwdGlvblNob3VsZFRl cm1pbmF0ZVByb2dyYW0gb2YgU3RydWN0dXJlZEV4Y2VwdGlvbkhhbmRsZXJTdXBwcmVzc29yLmNw cCBzaG91bGQgdGFrZSBEV09SRApkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0v bWVkaWFzdHJlYW0vZ3N0cmVhbWVyL01vY2tHU3RyZWFtZXJWaWRlb0NhcHR1cmVTb3VyY2UuY3Bw IGIvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vbWVkaWFzdHJlYW0vZ3N0cmVhbWVyL01vY2tHU3Ry ZWFtZXJWaWRlb0NhcHR1cmVTb3VyY2UuY3BwCmluZGV4IGJkZmFiZWRkNDZmOGMyNTNlY2NjY2Jj M2YwYTExMzBmZTE4ZWZiZmIuLjYwZTBmMjMzMzI3OTJmNWYzMWZlY2U2NDFlMmY2MGY1OTE0YzRk YjAgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL21lZGlhc3RyZWFtL2dzdHJl YW1lci9Nb2NrR1N0cmVhbWVyVmlkZW9DYXB0dXJlU291cmNlLmNwcAorKysgYi9Tb3VyY2UvV2Vi Q29yZS9wbGF0Zm9ybS9tZWRpYXN0cmVhbS9nc3RyZWFtZXIvTW9ja0dTdHJlYW1lclZpZGVvQ2Fw dHVyZVNvdXJjZS5jcHAKQEAgLTQwLDI4ICs0MCwyNCBAQCBwdWJsaWM6CiAKICAgICB2b2lkIHVw ZGF0ZVNhbXBsZUJ1ZmZlcigpCiAgICAgewotICAgICAgICBpbnQgZnBzTnVtZXJhdG9yLCBmcHNE ZW5vbWluYXRvcjsKICAgICAgICAgYXV0byBpbWFnZUJ1ZmZlciA9IHRoaXMtPmltYWdlQnVmZmVy KCk7Ci0KICAgICAgICAgaWYgKCFpbWFnZUJ1ZmZlcikKICAgICAgICAgICAgIHJldHVybjsKIAor ICAgICAgICBpbnQgZnBzTnVtZXJhdG9yLCBmcHNEZW5vbWluYXRvcjsKICAgICAgICAgZ3N0X3V0 aWxfZG91YmxlX3RvX2ZyYWN0aW9uKGZyYW1lUmF0ZSgpLCAmZnBzTnVtZXJhdG9yLCAmZnBzRGVu b21pbmF0b3IpOwogICAgICAgICBhdXRvIGRhdGEgPSBpbWFnZUJ1ZmZlci0+dG9CR1JBRGF0YSgp OwogICAgICAgICBhdXRvIHNpemUgPSBkYXRhLnNpemUoKTsKLSAgICAgICAgYXV0byBpbWFnZV9z aXplID0gaW1hZ2VCdWZmZXItPmludGVybmFsU2l6ZSgpOwotICAgICAgICBhdXRvIGdzdHNhbXBs ZSA9IGdzdF9zYW1wbGVfbmV3KGdzdF9idWZmZXJfbmV3X3dyYXBwZWQoc3RhdGljX2Nhc3Q8Z3Vp bnQ4Kj4oZGF0YS5yZWxlYXNlQnVmZmVyKCkuZ2V0KCkpLCBzaXplKSwKLSAgICAgICAgICAgIGFk b3B0R1JlZihnc3RfY2Fwc19uZXdfc2ltcGxlKCJ2aWRlby94LXJhdyIsCi0gICAgICAgICAgICAg ICAgImZvcm1hdCIsIEdfVFlQRV9TVFJJTkcsICJCR1JBIiwKLSAgICAgICAgICAgICAgICAid2lk dGgiLCBHX1RZUEVfSU5ULCBpbWFnZV9zaXplLndpZHRoKCksCi0gICAgICAgICAgICAgICAgImhl aWdodCIsIEdfVFlQRV9JTlQsIGltYWdlX3NpemUuaGVpZ2h0KCksCi0gICAgICAgICAgICAgICAg ImZyYW1lcmF0ZSIsIEdTVF9UWVBFX0ZSQUNUSU9OLCBmcHNOdW1lcmF0b3IsIGZwc0Rlbm9taW5h dG9yLAotICAgICAgICAgICAgICAgIG51bGxwdHIpKS5nZXQoKSwKLSAgICAgICAgICAgIG51bGxw dHIsIG51bGxwdHIpOwotCi0gICAgICAgIGF1dG8gc2FtcGxlID0gTWVkaWFTYW1wbGVHU3RyZWFt ZXI6OmNyZWF0ZShXVEZNb3ZlKGdzdHNhbXBsZSksCi0gICAgICAgICAgICBXZWJDb3JlOjpGbG9h dFNpemUoKSwgU3RyaW5nKCkpOwotICAgICAgICB2aWRlb1NhbXBsZUF2YWlsYWJsZShzYW1wbGUp OworICAgICAgICBhdXRvIGltYWdlU2l6ZSA9IGltYWdlQnVmZmVyLT5pbnRlcm5hbFNpemUoKTsK KyAgICAgICAgYXV0byBjYXBzID0gYWRvcHRHUmVmKGdzdF9jYXBzX25ld19zaW1wbGUoInZpZGVv L3gtcmF3IiwKKyAgICAgICAgICAgICJmb3JtYXQiLCBHX1RZUEVfU1RSSU5HLCAiQkdSQSIsCisg ICAgICAgICAgICAid2lkdGgiLCBHX1RZUEVfSU5ULCBpbWFnZVNpemUud2lkdGgoKSwKKyAgICAg ICAgICAgICJoZWlnaHQiLCBHX1RZUEVfSU5ULCBpbWFnZVNpemUuaGVpZ2h0KCksCisgICAgICAg ICAgICAiZnJhbWVyYXRlIiwgR1NUX1RZUEVfRlJBQ1RJT04sIGZwc051bWVyYXRvciwgZnBzRGVu b21pbmF0b3IsIG51bGxwdHIpKTsKKyAgICAgICAgYXV0byBnc3RTYW1wbGUgPSBhZG9wdEdSZWYo Z3N0X3NhbXBsZV9uZXcoZ3N0X2J1ZmZlcl9uZXdfd3JhcHBlZChnX21lbWR1cChkYXRhLmRhdGEo KSwgc2l6ZSksCisgICAgICAgICAgICBzaXplKSwgY2Fwcy5nZXQoKSwgbnVsbHB0ciwgbnVsbHB0 cikpOworCisgICAgICAgIHZpZGVvU2FtcGxlQXZhaWxhYmxlKE1lZGlhU2FtcGxlR1N0cmVhbWVy OjpjcmVhdGUoV1RGTW92ZShnc3RTYW1wbGUpLCBXZWJDb3JlOjpGbG9hdFNpemUoKSwgU3RyaW5n KCkpKTsKICAgICB9CiB9OwogCg== 349303 2018-09-10 02:19:42 -0700 2018-09-10 09:54:45 -0700 Patch bug-189462-20180910111941.patch text/plain 3125 pnormand U3VidmVyc2lvbiBSZXZpc2lvbjogMjM1ODQ0CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNDNkMzQyZDNjOWZmNWQw Yjk4MGM2ZDkwMTg5YWM5OWY4MDE2NmE3MS4uZDc5NTQzZjAzMTQ4OTgzNzY0ZjQ5Y2I3ODg0NWYy MDJkMWNjYWM5ZSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDE4LTA5LTEwICBQaGls aXBwZSBOb3JtYW5kICA8cG5vcm1hbmRAaWdhbGlhLmNvbT4KKworICAgICAgICBbR1N0cmVhbWVy XSB1c2UtYWZ0ZXItZnJlZSBpbiBNb2NrVmlkZW9DYXB0dXJlU291cmNlCisgICAgICAgIGh0dHBz Oi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xODk0NjIKKworICAgICAgICBSZXZp ZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIHBsYXRmb3JtL21lZGlhc3RyZWFt L2dzdHJlYW1lci9Nb2NrR1N0cmVhbWVyVmlkZW9DYXB0dXJlU291cmNlLmNwcDoKKyAgICAgICAg KFdlYkNvcmU6OldyYXBwZWRNb2NrUmVhbHRpbWVWaWRlb1NvdXJjZTo6dXBkYXRlU2FtcGxlQnVm ZmVyKToKKyAgICAgICAgQ29weSB0aGUgQkdSQSBkYXRhIGJlZm9yZSBwYXNzaW5nIG93bmVyc2hp cCB0byBHU3RyZWFtZXIuIEFsc28KKyAgICAgICAgaW5jbHVkZSBhIGZldyBjb2RlIHN0eWxlIGNv c21ldGljIGNoYW5nZXMuCisKIDIwMTgtMDktMTAgIFJvYiBCdWlzICA8cmJ1aXNAaWdhbGlhLmNv bT4KIAogICAgICAgICBYTUxIdHRwUmVxdWVzdDogb3ZlcnJpZGVNaW1lVHlwZSBzaG91bGQgbm90 IHVwZGF0ZSB0aGUgcmVzcG9uc2UncyAiQ29udGVudC1UeXBlIiBoZWFkZXIKZGlmZiAtLWdpdCBh L1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL21lZGlhc3RyZWFtL2dzdHJlYW1lci9Nb2NrR1N0cmVh bWVyVmlkZW9DYXB0dXJlU291cmNlLmNwcCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL21lZGlh c3RyZWFtL2dzdHJlYW1lci9Nb2NrR1N0cmVhbWVyVmlkZW9DYXB0dXJlU291cmNlLmNwcAppbmRl eCBiZGZhYmVkZDQ2ZjhjMjUzZWNjY2NiYzNmMGExMTMwZmUxOGVmYmZiLi41YTdlYWU4ZjZjZTk0 ODhmZTJlOTBjZjZhMDhlMWFjM2MzZjk4NDc2IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9w bGF0Zm9ybS9tZWRpYXN0cmVhbS9nc3RyZWFtZXIvTW9ja0dTdHJlYW1lclZpZGVvQ2FwdHVyZVNv dXJjZS5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vbWVkaWFzdHJlYW0vZ3N0cmVh bWVyL01vY2tHU3RyZWFtZXJWaWRlb0NhcHR1cmVTb3VyY2UuY3BwCkBAIC00MCwyOCArNDAsMjQg QEAgcHVibGljOgogCiAgICAgdm9pZCB1cGRhdGVTYW1wbGVCdWZmZXIoKQogICAgIHsKLSAgICAg ICAgaW50IGZwc051bWVyYXRvciwgZnBzRGVub21pbmF0b3I7CiAgICAgICAgIGF1dG8gaW1hZ2VC dWZmZXIgPSB0aGlzLT5pbWFnZUJ1ZmZlcigpOwotCiAgICAgICAgIGlmICghaW1hZ2VCdWZmZXIp CiAgICAgICAgICAgICByZXR1cm47CiAKKyAgICAgICAgaW50IGZwc051bWVyYXRvciwgZnBzRGVu b21pbmF0b3I7CiAgICAgICAgIGdzdF91dGlsX2RvdWJsZV90b19mcmFjdGlvbihmcmFtZVJhdGUo KSwgJmZwc051bWVyYXRvciwgJmZwc0Rlbm9taW5hdG9yKTsKICAgICAgICAgYXV0byBkYXRhID0g aW1hZ2VCdWZmZXItPnRvQkdSQURhdGEoKTsKICAgICAgICAgYXV0byBzaXplID0gZGF0YS5zaXpl KCk7Ci0gICAgICAgIGF1dG8gaW1hZ2Vfc2l6ZSA9IGltYWdlQnVmZmVyLT5pbnRlcm5hbFNpemUo KTsKLSAgICAgICAgYXV0byBnc3RzYW1wbGUgPSBnc3Rfc2FtcGxlX25ldyhnc3RfYnVmZmVyX25l d193cmFwcGVkKHN0YXRpY19jYXN0PGd1aW50OCo+KGRhdGEucmVsZWFzZUJ1ZmZlcigpLmdldCgp KSwgc2l6ZSksCi0gICAgICAgICAgICBhZG9wdEdSZWYoZ3N0X2NhcHNfbmV3X3NpbXBsZSgidmlk ZW8veC1yYXciLAotICAgICAgICAgICAgICAgICJmb3JtYXQiLCBHX1RZUEVfU1RSSU5HLCAiQkdS QSIsCi0gICAgICAgICAgICAgICAgIndpZHRoIiwgR19UWVBFX0lOVCwgaW1hZ2Vfc2l6ZS53aWR0 aCgpLAotICAgICAgICAgICAgICAgICJoZWlnaHQiLCBHX1RZUEVfSU5ULCBpbWFnZV9zaXplLmhl aWdodCgpLAotICAgICAgICAgICAgICAgICJmcmFtZXJhdGUiLCBHU1RfVFlQRV9GUkFDVElPTiwg ZnBzTnVtZXJhdG9yLCBmcHNEZW5vbWluYXRvciwKLSAgICAgICAgICAgICAgICBudWxscHRyKSku Z2V0KCksCi0gICAgICAgICAgICBudWxscHRyLCBudWxscHRyKTsKLQotICAgICAgICBhdXRvIHNh bXBsZSA9IE1lZGlhU2FtcGxlR1N0cmVhbWVyOjpjcmVhdGUoV1RGTW92ZShnc3RzYW1wbGUpLAot ICAgICAgICAgICAgV2ViQ29yZTo6RmxvYXRTaXplKCksIFN0cmluZygpKTsKLSAgICAgICAgdmlk ZW9TYW1wbGVBdmFpbGFibGUoc2FtcGxlKTsKKyAgICAgICAgYXV0byBpbWFnZVNpemUgPSBpbWFn ZUJ1ZmZlci0+aW50ZXJuYWxTaXplKCk7CisgICAgICAgIGF1dG8gY2FwcyA9IGFkb3B0R1JlZihn c3RfY2Fwc19uZXdfc2ltcGxlKCJ2aWRlby94LXJhdyIsCisgICAgICAgICAgICAiZm9ybWF0Iiwg R19UWVBFX1NUUklORywgIkJHUkEiLAorICAgICAgICAgICAgIndpZHRoIiwgR19UWVBFX0lOVCwg aW1hZ2VTaXplLndpZHRoKCksCisgICAgICAgICAgICAiaGVpZ2h0IiwgR19UWVBFX0lOVCwgaW1h Z2VTaXplLmhlaWdodCgpLAorICAgICAgICAgICAgImZyYW1lcmF0ZSIsIEdTVF9UWVBFX0ZSQUNU SU9OLCBmcHNOdW1lcmF0b3IsIGZwc0Rlbm9taW5hdG9yLCBudWxscHRyKSk7CisgICAgICAgIGF1 dG8gZ3N0U2FtcGxlID0gYWRvcHRHUmVmKGdzdF9zYW1wbGVfbmV3KGdzdF9idWZmZXJfbmV3X3dy YXBwZWQoZGF0YS5yZWxlYXNlQnVmZmVyKCkubGVha1B0cigpLAorICAgICAgICAgICAgc2l6ZSks IGNhcHMuZ2V0KCksIG51bGxwdHIsIG51bGxwdHIpKTsKKworICAgICAgICB2aWRlb1NhbXBsZUF2 YWlsYWJsZShNZWRpYVNhbXBsZUdTdHJlYW1lcjo6Y3JlYXRlKFdURk1vdmUoZ3N0U2FtcGxlKSwg V2ViQ29yZTo6RmxvYXRTaXplKCksIFN0cmluZygpKSk7CiAgICAgfQogfTsKIAo= 349313 2018-09-10 09:54:48 -0700 2018-09-10 22:45:06 -0700 Patch bug-189462-20180910185447.patch text/plain 3167 pnormand U3VidmVyc2lvbiBSZXZpc2lvbjogMjM1ODQ0CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNDNkMzQyZDNjOWZmNWQw Yjk4MGM2ZDkwMTg5YWM5OWY4MDE2NmE3MS4uZDc5NTQzZjAzMTQ4OTgzNzY0ZjQ5Y2I3ODg0NWYy MDJkMWNjYWM5ZSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDE4LTA5LTEwICBQaGls aXBwZSBOb3JtYW5kICA8cG5vcm1hbmRAaWdhbGlhLmNvbT4KKworICAgICAgICBbR1N0cmVhbWVy XSB1c2UtYWZ0ZXItZnJlZSBpbiBNb2NrVmlkZW9DYXB0dXJlU291cmNlCisgICAgICAgIGh0dHBz Oi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xODk0NjIKKworICAgICAgICBSZXZp ZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIHBsYXRmb3JtL21lZGlhc3RyZWFt L2dzdHJlYW1lci9Nb2NrR1N0cmVhbWVyVmlkZW9DYXB0dXJlU291cmNlLmNwcDoKKyAgICAgICAg KFdlYkNvcmU6OldyYXBwZWRNb2NrUmVhbHRpbWVWaWRlb1NvdXJjZTo6dXBkYXRlU2FtcGxlQnVm ZmVyKToKKyAgICAgICAgQ29weSB0aGUgQkdSQSBkYXRhIGJlZm9yZSBwYXNzaW5nIG93bmVyc2hp cCB0byBHU3RyZWFtZXIuIEFsc28KKyAgICAgICAgaW5jbHVkZSBhIGZldyBjb2RlIHN0eWxlIGNv c21ldGljIGNoYW5nZXMuCisKIDIwMTgtMDktMTAgIFJvYiBCdWlzICA8cmJ1aXNAaWdhbGlhLmNv bT4KIAogICAgICAgICBYTUxIdHRwUmVxdWVzdDogb3ZlcnJpZGVNaW1lVHlwZSBzaG91bGQgbm90 IHVwZGF0ZSB0aGUgcmVzcG9uc2UncyAiQ29udGVudC1UeXBlIiBoZWFkZXIKZGlmZiAtLWdpdCBh L1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL21lZGlhc3RyZWFtL2dzdHJlYW1lci9Nb2NrR1N0cmVh bWVyVmlkZW9DYXB0dXJlU291cmNlLmNwcCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL21lZGlh c3RyZWFtL2dzdHJlYW1lci9Nb2NrR1N0cmVhbWVyVmlkZW9DYXB0dXJlU291cmNlLmNwcAppbmRl eCBiZGZhYmVkZDQ2ZjhjMjUzZWNjY2NiYzNmMGExMTMwZmUxOGVmYmZiLi42YWVhMTQ1ZjcxZjcz ODVkNDQxMWRkYjI4NWE1NDdlZmZmNzdlMGVhIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9w bGF0Zm9ybS9tZWRpYXN0cmVhbS9nc3RyZWFtZXIvTW9ja0dTdHJlYW1lclZpZGVvQ2FwdHVyZVNv dXJjZS5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vbWVkaWFzdHJlYW0vZ3N0cmVh bWVyL01vY2tHU3RyZWFtZXJWaWRlb0NhcHR1cmVTb3VyY2UuY3BwCkBAIC00MCwyOCArNDAsMjQg QEAgcHVibGljOgogCiAgICAgdm9pZCB1cGRhdGVTYW1wbGVCdWZmZXIoKQogICAgIHsKLSAgICAg ICAgaW50IGZwc051bWVyYXRvciwgZnBzRGVub21pbmF0b3I7CiAgICAgICAgIGF1dG8gaW1hZ2VC dWZmZXIgPSB0aGlzLT5pbWFnZUJ1ZmZlcigpOwotCiAgICAgICAgIGlmICghaW1hZ2VCdWZmZXIp CiAgICAgICAgICAgICByZXR1cm47CiAKKyAgICAgICAgaW50IGZwc051bWVyYXRvciwgZnBzRGVu b21pbmF0b3I7CiAgICAgICAgIGdzdF91dGlsX2RvdWJsZV90b19mcmFjdGlvbihmcmFtZVJhdGUo KSwgJmZwc051bWVyYXRvciwgJmZwc0Rlbm9taW5hdG9yKTsKKyAgICAgICAgYXV0byBpbWFnZVNp emUgPSBpbWFnZUJ1ZmZlci0+aW50ZXJuYWxTaXplKCk7CisgICAgICAgIGF1dG8gY2FwcyA9IGFk b3B0R1JlZihnc3RfY2Fwc19uZXdfc2ltcGxlKCJ2aWRlby94LXJhdyIsCisgICAgICAgICAgICAi Zm9ybWF0IiwgR19UWVBFX1NUUklORywgIkJHUkEiLAorICAgICAgICAgICAgIndpZHRoIiwgR19U WVBFX0lOVCwgaW1hZ2VTaXplLndpZHRoKCksCisgICAgICAgICAgICAiaGVpZ2h0IiwgR19UWVBF X0lOVCwgaW1hZ2VTaXplLmhlaWdodCgpLAorICAgICAgICAgICAgImZyYW1lcmF0ZSIsIEdTVF9U WVBFX0ZSQUNUSU9OLCBmcHNOdW1lcmF0b3IsIGZwc0Rlbm9taW5hdG9yLCBudWxscHRyKSk7CiAg ICAgICAgIGF1dG8gZGF0YSA9IGltYWdlQnVmZmVyLT50b0JHUkFEYXRhKCk7CiAgICAgICAgIGF1 dG8gc2l6ZSA9IGRhdGEuc2l6ZSgpOwotICAgICAgICBhdXRvIGltYWdlX3NpemUgPSBpbWFnZUJ1 ZmZlci0+aW50ZXJuYWxTaXplKCk7Ci0gICAgICAgIGF1dG8gZ3N0c2FtcGxlID0gZ3N0X3NhbXBs ZV9uZXcoZ3N0X2J1ZmZlcl9uZXdfd3JhcHBlZChzdGF0aWNfY2FzdDxndWludDgqPihkYXRhLnJl bGVhc2VCdWZmZXIoKS5nZXQoKSksIHNpemUpLAotICAgICAgICAgICAgYWRvcHRHUmVmKGdzdF9j YXBzX25ld19zaW1wbGUoInZpZGVvL3gtcmF3IiwKLSAgICAgICAgICAgICAgICAiZm9ybWF0Iiwg R19UWVBFX1NUUklORywgIkJHUkEiLAotICAgICAgICAgICAgICAgICJ3aWR0aCIsIEdfVFlQRV9J TlQsIGltYWdlX3NpemUud2lkdGgoKSwKLSAgICAgICAgICAgICAgICAiaGVpZ2h0IiwgR19UWVBF X0lOVCwgaW1hZ2Vfc2l6ZS5oZWlnaHQoKSwKLSAgICAgICAgICAgICAgICAiZnJhbWVyYXRlIiwg R1NUX1RZUEVfRlJBQ1RJT04sIGZwc051bWVyYXRvciwgZnBzRGVub21pbmF0b3IsCi0gICAgICAg ICAgICAgICAgbnVsbHB0cikpLmdldCgpLAotICAgICAgICAgICAgbnVsbHB0ciwgbnVsbHB0cik7 Ci0KLSAgICAgICAgYXV0byBzYW1wbGUgPSBNZWRpYVNhbXBsZUdTdHJlYW1lcjo6Y3JlYXRlKFdU Rk1vdmUoZ3N0c2FtcGxlKSwKLSAgICAgICAgICAgIFdlYkNvcmU6OkZsb2F0U2l6ZSgpLCBTdHJp bmcoKSk7Ci0gICAgICAgIHZpZGVvU2FtcGxlQXZhaWxhYmxlKHNhbXBsZSk7CisgICAgICAgIGF1 dG8gYnVmZmVyID0gYWRvcHRHUmVmKGdzdF9idWZmZXJfbmV3X3dyYXBwZWQoZ19tZW1kdXAoZGF0 YS5yZWxlYXNlQnVmZmVyKCkubGVha1B0cigpLCBzaXplKSwgc2l6ZSkpOworICAgICAgICBhdXRv IGdzdFNhbXBsZSA9IGFkb3B0R1JlZihnc3Rfc2FtcGxlX25ldyhidWZmZXIuZ2V0KCksIGNhcHMu Z2V0KCksIG51bGxwdHIsIG51bGxwdHIpKTsKKworICAgICAgICB2aWRlb1NhbXBsZUF2YWlsYWJs ZShNZWRpYVNhbXBsZUdTdHJlYW1lcjo6Y3JlYXRlKFdURk1vdmUoZ3N0U2FtcGxlKSwgRmxvYXRT aXplKCksIFN0cmluZygpKSk7CiAgICAgfQogfTsKIAo=