85394 2012-05-02 11:22:42 -0700 Web Inspector: crash in InspectorResourceAgent::didReceiveWebSocketFrame 2012-05-03 05:34:46 -0700 1 1 1 Unclassified WebKit Web Inspector (Deprecated) 528+ (Nightly build) All Windows 7 RESOLVED FIXED P2 Normal --- 0 marshall yurys apavlov bweinstein joepeck keishi loislo pfeldman pmuellr rik timothy yurys oldest_to_newest 614467 0 marshall 2012-05-02 11:22:42 -0700 WebKit revision 115687. Chromium revision 134688 The frame.payload value passed to InspectorResourceAgent::didReceiveWebSocketFrame is not nul-terminated. didReceiveWebSocketFrame calls payload.substring(0, frame.payloadLength) which also returns a non-nul-terminated string. The non-nul-terminated string is then passed to StringImpl::create which calls strlen() resulting a buffer overrun. Stack trace: libcef.dll!strlen(unsigned char * buf) Line 81 Asm libcef.dll!WTF::StringImpl::create(const unsigned char * string) Line 186 + 0x9 bytes C++ libcef.dll!WTF::String::String(const char * characters) Line 84 + 0x3a bytes C++ > libcef.dll!WebCore::InspectorResourceAgent::didReceiveWebSocketFrame(unsigned long identifier, const WebCore::WebSocketFrame & frame) Line 465 C++ libcef.dll!WebCore::InspectorInstrumentation::didReceiveWebSocketFrameImpl(WebCore::InstrumentingAgents * instrumentingAgents, unsigned long identifier, const WebCore::WebSocketFrame & frame) Line 995 C++ libcef.dll!WebCore::InspectorInstrumentation::didReceiveWebSocketFrame(WebCore::Document * document, unsigned long identifier, const WebCore::WebSocketFrame & frame) Line 1238 + 0x11 bytes C++ libcef.dll!WebCore::WebSocketChannel::processFrame() Line 603 + 0x1a bytes C++ libcef.dll!WebCore::WebSocketChannel::processBuffer() Line 489 + 0x8 bytes C++ libcef.dll!WebCore::WebSocketChannel::didReceiveSocketStreamData(WebCore::SocketStreamHandle * handle, const char * data, int len) Line 330 + 0x8 bytes C++ libcef.dll!WebCore::SocketStreamHandleInternal::didReceiveData(WebKit::WebSocketStreamHandle * socketHandle, const WebKit::WebData & data) Line 134 + 0x34 bytes C++ libcef.dll!webkit_glue::WebSocketStreamHandleImpl::Context::DidReceiveData(WebKit::WebSocketStreamHandle * web_handle, const char * data, int size) Line 129 + 0x4b bytes C++ libcef.dll!IPCWebSocketStreamHandleBridge::OnReceivedData(const std::vector<char,std::allocator<char> > & data) Line 127 + 0x32 bytes C++ libcef.dll!SocketStreamDispatcher::OnReceivedData(int socket_id, const std::vector<char,std::allocator<char> > & data) Line 222 C++ libcef.dll!DispatchToMethod<SocketStreamDispatcher,void (__thiscall SocketStreamDispatcher::*)(int,std::vector<char,std::allocator<char> > const &),int,std::vector<char,std::allocator<char> > >(SocketStreamDispatcher * obj, void (int, const std::vector<char,std::allocator<char> > &)* method, const Tuple2<int,std::vector<char,std::allocator<char> > > & arg) Line 554 + 0x15 bytes C++ libcef.dll!SocketStreamMsg_ReceivedData::Dispatch<SocketStreamDispatcher,SocketStreamDispatcher,void (__thiscall SocketStreamDispatcher::*)(int,std::vector<char,std::allocator<char> > const &)>(const IPC::Message * msg, SocketStreamDispatcher * obj, SocketStreamDispatcher * sender, void (int, const std::vector<char,std::allocator<char> > &)* func) Line 65 + 0x56 bytes C++ libcef.dll!SocketStreamDispatcher::OnMessageReceived(const IPC::Message & msg) Line 188 + 0x3c bytes C++ libcef.dll!ChildThread::OnMessageReceived(const IPC::Message & msg) Line 176 + 0x2d bytes C++ libcef.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message) Line 247 + 0x19 bytes C++ libcef.dll!base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>::Run(IPC::ChannelProxy::Context * object, const IPC::Message & a1) Line 188 + 0x21 bytes C++ libcef.dll!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context * const &,IPC::Message const &)>::MakeItSo(base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)> runnable, IPC::ChannelProxy::Context * const & a1, const IPC::Message & a2) Line 897 C++ libcef.dll!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &),void __cdecl(IPC::ChannelProxy::Context *,IPC::Message)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &)>::Run(base::internal::BindStateBase * base) Line 1254 + 0x2a bytes C++ libcef.dll!base::Callback<void __cdecl(void)>::Run() Line 272 + 0xe bytes C++ libcef.dll!MessageLoop::RunTask(const base::PendingTask & pending_task) Line 464 C++ libcef.dll!MessageLoop::DeferOrRunPendingTask(const base::PendingTask & pending_task) Line 477 C++ libcef.dll!MessageLoop::DoWork() Line 651 + 0xc bytes C++ libcef.dll!base::MessagePumpForUI::DoRunLoop() Line 224 + 0x1d bytes C++ libcef.dll!base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate * delegate, base::MessagePumpDispatcher * dispatcher) Line 60 + 0xf bytes C++ libcef.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 48 + 0x1c bytes C++ libcef.dll!MessageLoop::RunInternal() Line 421 + 0x29 bytes C++ libcef.dll!MessageLoop::RunHandler() Line 395 C++ libcef.dll!MessageLoop::Run() Line 301 C++ libcef.dll!base::Thread::Run(MessageLoop * message_loop) Line 129 C++ libcef.dll!base::Thread::ThreadMain() Line 163 + 0x16 bytes C++ libcef.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 58 + 0xf bytes C++ 615184 1 139987 yurys 2012-05-03 05:27:12 -0700 Created attachment 139987 Patch 615189 2 yurys 2012-05-03 05:34:46 -0700 Committed r115964: <http://trac.webkit.org/changeset/115964> 139987 2012-05-03 05:27:12 -0700 2012-05-03 05:28:35 -0700 Patch bug-85394-20120503162710.patch text/plain 2636 yurys U3VidmVyc2lvbiBSZXZpc2lvbjogMTE1OTYxCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggOWY1ZjZiMGI4OTQ1MzYy NDViNzhhMzYyYWU1OWE1Nzk4YjVmZmE3MC4uNmNlYjc1MDMwN2YwMzk4ZjQ5ZDAxMDM4NTU1OWUz NjNiODE2MTFlNSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE4IEBACisyMDEyLTA1LTAzICBZdXJ5 IFNlbWlraGF0c2t5ICA8eXVyeXNAY2hyb21pdW0ub3JnPgorCisgICAgICAgIFdlYiBJbnNwZWN0 b3I6IGNyYXNoIGluIEluc3BlY3RvclJlc291cmNlQWdlbnQ6OmRpZFJlY2VpdmVXZWJTb2NrZXRG cmFtZQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9ODUz OTQKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBQYXNz IHN0cmluZyBsZW5ndGggZXhwbGljaXRlbHkgd2hlbiBjcmVhdGluZyBTdHJpbmcgb2JqZWN0IGZy b20gbm9uLW51bGwtdGVybWluYXRlZAorICAgICAgICBjaGFyKiBzdHJpbmdzLgorCisgICAgICAg ICogaW5zcGVjdG9yL0luc3BlY3RvclJlc291cmNlQWdlbnQuY3BwOgorICAgICAgICAoV2ViQ29y ZSk6CisgICAgICAgIChXZWJDb3JlOjpJbnNwZWN0b3JSZXNvdXJjZUFnZW50OjpkaWRSZWNlaXZl V2ViU29ja2V0RnJhbWUpOgorICAgICAgICAoV2ViQ29yZTo6SW5zcGVjdG9yUmVzb3VyY2VBZ2Vu dDo6ZGlkU2VuZFdlYlNvY2tldEZyYW1lKToKKwogMjAxMi0wNC0zMCAgUGF2ZWwgRmVsZG1hbiAg PHBmZWxkbWFuQGNocm9taXVtLm9yZz4KIAogICAgICAgICBXZWIgSW5zcGVjdG9yOiBtaWdyYXRl IGJyZWFrcG9pbnQgbWFuYWdlciB0byBsaXZlIGxvY2F0aW9ucy4KZGlmZiAtLWdpdCBhL1NvdXJj ZS9XZWJDb3JlL2luc3BlY3Rvci9JbnNwZWN0b3JSZXNvdXJjZUFnZW50LmNwcCBiL1NvdXJjZS9X ZWJDb3JlL2luc3BlY3Rvci9JbnNwZWN0b3JSZXNvdXJjZUFnZW50LmNwcAppbmRleCBjNjg0NTQ1 NzQ0ZDgyNjkyNzBmOTBmMjJlYjcxZDNlZjQyYTJhNjVkLi4zNTdjMDNjOTcyYzkwMmMyOTAwZTRi OWZjOWEwNGM4MGUyMDVkNTY1IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9pbnNwZWN0b3Iv SW5zcGVjdG9yUmVzb3VyY2VBZ2VudC5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvaW5zcGVjdG9y L0luc3BlY3RvclJlc291cmNlQWdlbnQuY3BwCkBAIC00NTYsMjMgKzQ1NiwyMiBAQCB2b2lkIElu c3BlY3RvclJlc291cmNlQWdlbnQ6OmRpZENsb3NlV2ViU29ja2V0KHVuc2lnbmVkIGxvbmcgaWRl bnRpZmllcikKIHsKICAgICBtX2Zyb250ZW5kLT53ZWJTb2NrZXRDbG9zZWQoSWRlbnRpZmllcnNG YWN0b3J5OjpyZXF1ZXN0SWQoaWRlbnRpZmllciksIGN1cnJlbnRUaW1lKCkpOwogfQorCiB2b2lk IEluc3BlY3RvclJlc291cmNlQWdlbnQ6OmRpZFJlY2VpdmVXZWJTb2NrZXRGcmFtZSh1bnNpZ25l ZCBsb25nIGlkZW50aWZpZXIsIGNvbnN0IFdlYlNvY2tldEZyYW1lJiBmcmFtZSkKIHsKLSAgICBT dHJpbmcgcGF5bG9hZCA9IGZyYW1lLnBheWxvYWQ7CiAgICAgUmVmUHRyPFR5cGVCdWlsZGVyOjpO ZXR3b3JrOjpXZWJTb2NrZXRGcmFtZT4gZnJhbWVPYmplY3QgPSBUeXBlQnVpbGRlcjo6TmV0d29y azo6V2ViU29ja2V0RnJhbWU6OmNyZWF0ZSgpCiAgICAgICAgIC5zZXRPcGNvZGUoZnJhbWUub3BD b2RlKQogICAgICAgICAuc2V0TWFzayhmcmFtZS5tYXNrZWQpCi0gICAgICAgIC5zZXRQYXlsb2Fk RGF0YShwYXlsb2FkLnN1YnN0cmluZygwLCBmcmFtZS5wYXlsb2FkTGVuZ3RoKSk7CisgICAgICAg IC5zZXRQYXlsb2FkRGF0YShTdHJpbmcoZnJhbWUucGF5bG9hZCwgZnJhbWUucGF5bG9hZExlbmd0 aCkpOwogICAgIG1fZnJvbnRlbmQtPndlYlNvY2tldEZyYW1lUmVjZWl2ZWQoSWRlbnRpZmllcnNG YWN0b3J5OjpyZXF1ZXN0SWQoaWRlbnRpZmllciksIGN1cnJlbnRUaW1lKCksIGZyYW1lT2JqZWN0 KTsKIH0KIAogdm9pZCBJbnNwZWN0b3JSZXNvdXJjZUFnZW50OjpkaWRTZW5kV2ViU29ja2V0RnJh bWUodW5zaWduZWQgbG9uZyBpZGVudGlmaWVyLCBjb25zdCBXZWJTb2NrZXRGcmFtZSYgZnJhbWUp CiB7Ci0gICAgU3RyaW5nIHBheWxvYWQgPSBmcmFtZS5wYXlsb2FkOwogICAgIFJlZlB0cjxUeXBl QnVpbGRlcjo6TmV0d29yazo6V2ViU29ja2V0RnJhbWU+IGZyYW1lT2JqZWN0ID0gVHlwZUJ1aWxk ZXI6Ok5ldHdvcms6OldlYlNvY2tldEZyYW1lOjpjcmVhdGUoKQogICAgICAgICAuc2V0T3Bjb2Rl KGZyYW1lLm9wQ29kZSkKICAgICAgICAgLnNldE1hc2soZnJhbWUubWFza2VkKQotICAgICAgICAu c2V0UGF5bG9hZERhdGEocGF5bG9hZC5zdWJzdHJpbmcoMCwgZnJhbWUucGF5bG9hZExlbmd0aCkp OworICAgICAgICAuc2V0UGF5bG9hZERhdGEoU3RyaW5nKGZyYW1lLnBheWxvYWQsIGZyYW1lLnBh eWxvYWRMZW5ndGgpKTsKICAgICBtX2Zyb250ZW5kLT53ZWJTb2NrZXRGcmFtZVNlbnQoSWRlbnRp ZmllcnNGYWN0b3J5OjpyZXF1ZXN0SWQoaWRlbnRpZmllciksIGN1cnJlbnRUaW1lKCksIGZyYW1l T2JqZWN0KTsKIH0KIAo=