Bug 140376

Summary:

Out of bounds read in IdentifierArena::makeIdentifier

Product:

WebKit

Reporter:

Geoffrey Garen <ggaren>

Component:

New Bugs

Assignee:

Geoffrey Garen <ggaren>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, bfulgham

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	ggaren: review+

Geoffrey Garen

Reported 2015-01-12 16:54:56 PST

Out of bounds read in IdentifierArena::makeIdentifier

Attachments
Patch (2.38 KB, patch) 2015-01-12 17:00 PST, Geoffrey Garen	ggaren: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Geoffrey Garen

Comment 1 2015-01-12 16:55:54 PST

Alexey says: IdentifierArena::makeIdentifier is sometimes called with an empty string, in which case it creates the identifier from garbage memory. Steps to reproduce: 1. Add ASSERT(length > 0); to IdentifierArena::makeIdentifier. 2. Open https://bugs.webkit.org/enter_bug.cgi?product=WebKit Results: the assertion fails. This out of bounds read is not harmless, because the value affects logic in this function, and then goes into an actual identifier. IdentifierArena::makeIdentifierLCharFromUChar has the same problem.

Geoffrey Garen

Comment 2 2015-01-12 16:58:27 PST

<rdar://problem/19437703>

Geoffrey Garen

Comment 3 2015-01-12 17:00:41 PST

Created attachment 244479 [details] Patch

Geoffrey Garen

Comment 4 2015-01-12 17:03:03 PST

Comment on attachment 244479 [details] Patch Alexey wrote and tested this patch. I tested it some more, and reviewed it.

Geoffrey Garen

Comment 5 2015-01-12 17:04:34 PST

Committed r178311: <http://trac.webkit.org/changeset/178311>

Note You need to log in before you can comment on or make changes to this bug.