53957 2011-02-07 16:13:42 -0800 Crash after incorrectly restoring bogus session state. 2011-02-07 16:22:59 -0800 1 1 1 Unclassified WebKit WebKit2 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 1 beidson webkit-unassigned darin oldest_to_newest 346922 0 beidson 2011-02-07 16:13:42 -0800 If a WebBackForwardList is restored with a certain bogus session state as input (current index pointing past the end of the entry list), the page involved is likely to crash later down the line when that wrong entry is accessed. In radar as <rdar://problem/8960434> 346929 1 81549 beidson 2011-02-07 16:21:06 -0800 Created attachment 81549 Patch v1 346931 2 beidson 2011-02-07 16:22:59 -0800 Landed in r77861 81549 2011-02-07 16:21:06 -0800 2011-02-07 16:22:11 -0800 Patch v1 patch.txt text/plain 2572 beidson SW5kZXg6IFNvdXJjZS9XZWJLaXQyL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi S2l0Mi9DaGFuZ2VMb2cJKHJldmlzaW9uIDc3ODU5KQorKysgU291cmNlL1dlYktpdDIvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMjMgQEAKKzIwMTEtMDItMDcgIEJyYWR5IEVp ZHNvbiAgPGJlaWRzb25AYXBwbGUuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAo T09QUyEpLgorCisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS84OTYwNDM0PiBhbmQgaHR0cHM6Ly9i dWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTUzOTU3CisgICAgICAgIENyYXNoIGFmdGVy IGluY29ycmVjdGx5IHJlc3RvcmluZyBib2d1cyBzZXNzaW9uIHN0YXRlLgorCisgICAgICAgIElu IHNvbWUgY2FzZXMgd2UncmUgd3JpdGluZyBhbiBpbnZhbGlkIHNlc3Npb24gc3RhdGUgZm9yIGEg YmFjay9mb3J3YXJkIGxpc3Qgd2hlcmUgdGhlIGN1cnJlbnQgZW50cnkgaXMgMAorICAgICAgICBi dXQgdGhlIG51bWJlciBvZiBlbnRyaWVzIGlzIGFsc28gMC4KKyAgICAgICAgSW4gc3VjaCBjYXNl cyB0aGUgY3VycmVudCBlbnRyeSBzaG91bGQgYmUgIk5vQ3VycmVudEVudHJ5SW5kZXguIgorCisg ICAgICAgIFdoZW4gd2UgbGF0ZXIgcmVhZCB0aGlzIHN0YXRlIGluLCB3ZSBzZXQgb3Vyc2VsdmVz IHVwIHRvIGNyYXNoIGxhdGVyLgorCisgICAgICAgIEFtdXNpbmdseSBhbiBBU1NFUlQgY2F1Z2h0 IHRoaXMsIGJ1dCB3ZSBzaG91bGQndmUgcmVqZWN0ZWQgaXQgYmVmb3JlIHRoZSBBU1NFUlQgZmly ZWQuCisKKyAgICAgICAgKiBVSVByb2Nlc3MvY2YvV2ViQmFja0ZvcndhcmRMaXN0Q0YuY3BwOgor ICAgICAgICAoV2ViS2l0OjpXZWJCYWNrRm9yd2FyZExpc3Q6OnJlc3RvcmVGcm9tQ0ZEaWN0aW9u YXJ5UmVwcmVzZW50YXRpb24pOiBGYWlsIHRoZSByZXN0b3JlIGlmIHRoZSAiY3VycmVudCBpbmRl eCBwYXN0IHRoZSBlbmQKKyAgICAgICAgICBvZiB0aGUgbGlzdCIgY2FzZSBvY2N1cnMsIGFuZCBz cGVjdWxhdGl2ZWx5IGJhaWwgb3V0IG9mIHRoZSBjYXNlIHdoZXJlIHdlIGhhdmUgbm8gY3VycmVu dCBpbmRleCBidXQgZG8gaGF2ZSBhIGxpc3QuCisgICAgICAgICAgQWxzbyByZW1vdmUgdGhlIHVu aGVscGZ1bCBBU1NFUlQuCisKIDIwMTEtMDItMDcgIFNhbSBXZWluaWcgIDxzYW1Ad2Via2l0Lm9y Zz4KIAogICAgICAgICBSZXZpZXdlZCBieSBBbmRlcnMgQ2FybHNzb24uCkluZGV4OiBTb3VyY2Uv V2ViS2l0Mi9VSVByb2Nlc3MvY2YvV2ViQmFja0ZvcndhcmRMaXN0Q0YuY3BwCj09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K LS0tIFNvdXJjZS9XZWJLaXQyL1VJUHJvY2Vzcy9jZi9XZWJCYWNrRm9yd2FyZExpc3RDRi5jcHAJ KHJldmlzaW9uIDc3ODIxKQorKysgU291cmNlL1dlYktpdDIvVUlQcm9jZXNzL2NmL1dlYkJhY2tG b3J3YXJkTGlzdENGLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMTAzLDYgKzEwMywxNiBAQCBib29s IFdlYkJhY2tGb3J3YXJkTGlzdDo6cmVzdG9yZUZyb21DRkRpCiAgICAgfQogCiAgICAgQ0ZJbmRl eCBzaXplID0gQ0ZBcnJheUdldENvdW50KGNmRW50cmllcyk7CisgICAgaWYgKGN1cnJlbnRJbmRl eCAhPSBOb0N1cnJlbnRJdGVtSW5kZXggJiYgY3VycmVudEluZGV4ID49IHNpemUpIHsKKyAgICAg ICAgTE9HKFNlc3Npb25TdGF0ZSwgIldlYkJhY2tGb3J3YXJkTGlzdCBkaWN0aW9uYXJ5IHJlcHJl c2VudGF0aW9uIGNvbnRhaW5zIGFuIGludmFsaWQgY3VycmVudCBpbmRleCAoJWxkKSBmb3IgdGhl IG51bWJlciBvZiBlbnRyaWVzICglbGQpIiwgY3VycmVudEluZGV4LCBzaXplKTsKKyAgICAgICAg cmV0dXJuIGZhbHNlOworICAgIH0KKworICAgIGlmIChjdXJyZW50SW5kZXggPT0gTm9DdXJyZW50 SXRlbUluZGV4ICYmIHNpemUpIHsKKyAgICAgICAgTE9HKFNlc3Npb25TdGF0ZSwgIldlYkJhY2tG b3J3YXJkTGlzdCBkaWN0aW9uYXJ5IHJlcHJlc2VudGF0aW9uIHNheXMgdGhlcmUgaXMgbm8gY3Vy cmVudCBpdGVtIGluZGV4LCBidXQgdGhlcmUgaXMgYSBsaXN0IG9mICVsZCBlbnRyaWVzIC0gdGhp cyBpcyBib2d1cyIsIHNpemUpOworICAgICAgICByZXR1cm4gZmFsc2U7CisgICAgfQorICAgIAog ICAgIEJhY2tGb3J3YXJkTGlzdEl0ZW1WZWN0b3IgbmV3RW50cmllczsKICAgICBuZXdFbnRyaWVz LnJlc2VydmVDYXBhY2l0eShzaXplKTsKICAgICBmb3IgKENGSW5kZXggaSA9IDA7IGkgPCBzaXpl OyArK2kpIHsKQEAgLTE0Miw4ICsxNTIsNiBAQCBib29sIFdlYkJhY2tGb3J3YXJkTGlzdDo6cmVz dG9yZUZyb21DRkRpCiAgICAgbV9jdXJyZW50ID0gY3VycmVudEluZGV4OwogICAgIG1fZW50cmll cyA9IG5ld0VudHJpZXM7CiAKLSAgICBBU1NFUlQobV9jdXJyZW50ID09IE5vQ3VycmVudEl0ZW1J bmRleCB8fCBtX2N1cnJlbnQgPCBtX2VudHJpZXMuc2l6ZSgpKTsKLQogICAgIHJldHVybiB0cnVl OwogfQogCg==