Bug 140376

Summary: Out of bounds read in IdentifierArena::makeIdentifier
Product: WebKit Reporter: Geoffrey Garen <ggaren>
Component: New BugsAssignee: Geoffrey Garen <ggaren>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, bfulgham
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ggaren: review+

Description Geoffrey Garen 2015-01-12 16:54:56 PST 
Out of bounds read in IdentifierArena::makeIdentifier
Comment 1 Geoffrey Garen 2015-01-12 16:55:54 PST 
Alexey says:

IdentifierArena::makeIdentifier is sometimes called with an empty string, in which case it creates the identifier from garbage memory.

Steps to reproduce:
1. Add ASSERT(length > 0); to IdentifierArena::makeIdentifier.
2. Open https://bugs.webkit.org/enter_bug.cgi?product=WebKit

Results: the assertion fails.

This out of bounds read is not harmless, because the value affects logic in this function, and then goes into an actual identifier.

IdentifierArena::makeIdentifierLCharFromUChar has the same problem.
Comment 2 Geoffrey Garen 2015-01-12 16:58:27 PST 
<rdar://problem/19437703>
Comment 3 Geoffrey Garen 2015-01-12 17:00:41 PST 
Created attachment 244479 [details]
Patch
Comment 4 Geoffrey Garen 2015-01-12 17:03:03 PST 
Comment on attachment 244479 [details]
Patch

Alexey wrote and tested this patch. I tested it some more, and reviewed it.
Comment 5 Geoffrey Garen 2015-01-12 17:04:34 PST 
Committed r178311: <http://trac.webkit.org/changeset/178311>