27381 2009-07-17 11:20:23 -0700 WinLauncher Crash with File URLs 2009-07-20 10:15:27 -0700 1 1 1 Unclassified WebKit WebKit Misc. 528+ (Nightly build) PC Windows XP RESOLVED FIXED P2 Normal --- 1 bfulgham webkit-unassigned oldest_to_newest 132642 0 bfulgham 2009-07-17 11:20:23 -0700 Attempting to open a file URL in WinLauncher (e.g., C:\Cygwin\tmp\layout-test-results\results.html) will result in a crash in FastAlloc. This is happening because it is trying to allocate an enormous number of bytes (e.g., 174266262). The problem is caused by this section of code: BSTR urlBstr = ... TCHAR fileURL[INTERNET_MAX_URL_LENGTH]; DWORD fileURLLength = sizeof(fileURL)/sizeof(fileURL[0]); if (SUCCEEDED(UrlCreateFromPath(urlBStr, fileURL, &fileURLLength, 0))) urlBStr = fileURL; It is attempting to assign a TCHAR (generally a UNICODE string) to a BSTR. While the compiler allows this, the BSTR looses the size value that should be prepended to the string. Later on, in MarshallingHelpers.cpp we attempt this code: KURL MarshallingHelpers::BSTRToKURL(BSTR urlStr) { return KURL(KURL(), String(urlStr, SysStringLen(urlStr))); } The call to SysStringLen attempts to interpret the first four bytes of the UNICODE value as a string length, which in the test case results in an size that is larger than available memory. Fix is attached. 132646 1 32960 bfulgham 2009-07-17 11:25:27 -0700 Created attachment 32960 Correct BSTR mishandling. 132648 2 32960 aroben 2009-07-17 11:34:10 -0700 Comment on attachment 32960 Correct BSTR mishandling. > if (SUCCEEDED(UrlCreateFromPath(urlBStr, fileURL, &fileURLLength, 0))) > - urlBStr = fileURL; > + SysReAllocString(&urlBStr, fileURL); It doesn't seem so great to be modifying the urlBStr parameter like this. Maybe it would be better to put the file: URL into a separate variable? Something like: BSTR fileURLBstr = 0; if (...) { fileURLBstr = SysAllocString(...); urlBStr = fileURLBstr; } ...actual loading calls here... if (fileURLBstr) SysFreeString(fileURLBstr); But it seems OK as-is. 132668 3 bfulgham 2009-07-17 12:42:06 -0700 Landed in @r46050. 133163 4 bfulgham 2009-07-20 10:15:27 -0700 Forgot to close issue. 32960 2009-07-17 11:25:27 -0700 2009-07-17 11:34:10 -0700 Correct BSTR mishandling. winlauncher_fix.patch text/plain 1542 bfulgham SW5kZXg6IFdlYktpdFRvb2xzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJLaXRUb29scy9D aGFuZ2VMb2cJKHJldmlzaW9uIDQ2MDQxKQorKysgV2ViS2l0VG9vbHMvQ2hhbmdlTG9nCSh3b3Jr aW5nIGNvcHkpCkBAIC0xLDMgKzEsMTUgQEAKKzIwMDktMDctMTcgIEJyZW50IEZ1bGdoYW0gIDxi ZnVsZ2hhbUB3ZWJraXQub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEp LgorCisgICAgICAgIENvcnJlY3QgY3Jhc2ggaW4gV2luTGF1bmNoZXIgZHVlIHRvIGltcHJvcGVy IG1peGluZyBvZiBCU1RSCisgICAgICAgIGFuZCBUQ0hBUiB0eXBlcy4KKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTI3MzgxCisKKyAgICAgICAgKiBXaW5M YXVuY2hlci9XaW5MYXVuY2hlci5jcHA6CisgICAgICAgIChsb2FkVVJMKTogUGVyZm9ybSBTeXNS ZUFsbG9jU3RyaW5nIHRvIHVwZGF0ZSB0aGUgQlNUUiB3aXRoCisgICAgICAgICAgdGhlIGNvbnRl bnRzIG9mIHRoZSBUQ0hBUiBzdHJpbmcuCisKIDIwMDktMDYtMzAgIEhvbGdlciBIYW5zIFBldGVy IEZyZXl0aGVyICA8emVja2VAc2VsZmlzaC5vcmc+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgU2lt b24gSGF1c21hbm4uCkluZGV4OiBXZWJLaXRUb29scy9XaW5MYXVuY2hlci9XaW5MYXVuY2hlci5j cHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PQotLS0gV2ViS2l0VG9vbHMvV2luTGF1bmNoZXIvV2luTGF1bmNoZXIuY3Bw CShyZXZpc2lvbiA0NjA0MSkKKysrIFdlYktpdFRvb2xzL1dpbkxhdW5jaGVyL1dpbkxhdW5jaGVy LmNwcAkod29ya2luZyBjb3B5KQpAQCAtMzY4LDE0ICszNjgsMTQgQEAgc3RhdGljIHZvaWQgbG9h ZFVSTChCU1RSIHVybEJTdHIpCiAgICAgSVdlYkZyYW1lKiBmcmFtZSA9IDA7CiAgICAgSVdlYk11 dGFibGVVUkxSZXF1ZXN0KiByZXF1ZXN0ID0gMDsKIAotCiAgICAgc3RhdGljIEJTVFIgbWV0aG9k QlN0ciA9IFN5c0FsbG9jU3RyaW5nKFRFWFQoIkdFVCIpKTsKIAogICAgIGlmICh1cmxCU3RyICYm IHVybEJTdHJbMF0gJiYgKFBhdGhGaWxlRXhpc3RzKHVybEJTdHIpIHx8IFBhdGhJc1VOQyh1cmxC U3RyKSkpIHsKICAgICAgICAgVENIQVIgZmlsZVVSTFtJTlRFUk5FVF9NQVhfVVJMX0xFTkdUSF07 CiAgICAgICAgIERXT1JEIGZpbGVVUkxMZW5ndGggPSBzaXplb2YoZmlsZVVSTCkvc2l6ZW9mKGZp bGVVUkxbMF0pOworCiAgICAgICAgIGlmIChTVUNDRUVERUQoVXJsQ3JlYXRlRnJvbVBhdGgodXJs QlN0ciwgZmlsZVVSTCwgJmZpbGVVUkxMZW5ndGgsIDApKSkKLSAgICAgICAgICAgIHVybEJTdHIg PSBmaWxlVVJMOworICAgICAgICAgICAgU3lzUmVBbGxvY1N0cmluZygmdXJsQlN0ciwgZmlsZVVS TCk7CiAgICAgfQogCiAgICAgSFJFU1VMVCBociA9IGdXZWJWaWV3LT5tYWluRnJhbWUoJmZyYW1l KTsK