Bug 166622

Summary:

[EFL] fix buffer over-read in RenderThemeEfl::mediaControlsStyleSheet()

Product:

WebKit

Reporter:

Olivier Blin <olivier.blin>

Component:

WebKit EFL

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, commit-queue, darin, esprehn+autocc, glenn, gyuyoung.kim, kondapallykalyan, lucas.de.marchi, magomez, mcatanzaro, zan

Priority:

Version:

Other

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Olivier Blin

Reported 2016-12-30 07:31:51 PST

This has been detected by a charactersAreAllASCII() assert failure. Initially in WebKitForWayland (WPE), but the code was likely borrowed from EFL. This is because ASCIILiteral() is wrongly used in mediaControlsStyleSheet(). mediaControlsBaseUserAgentStyleSheet is a char array, not a null-terminated string. It is thus incorrect to use StringImpl::createFromLiteral() that calls strlen() to get the string length. The String::ConstructFromLiteral constructor can not be used, since it skips the last character. The size should be explicitly passed to the String constructor.

Attachments
Patch (2.01 KB, patch) 2016-12-30 07:36 PST, Olivier Blin	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Olivier Blin

Comment 1 2016-12-30 07:36:57 PST

Created attachment 297858 [details] Patch

Gyuyoung Kim

Comment 2 2016-12-30 07:41:53 PST

Comment on attachment 297858 [details] Patch LGTM based on GTK port implementation.

WebKit Commit Bot

Comment 3 2016-12-30 08:17:23 PST

Comment on attachment 297858 [details] Patch Clearing flags on attachment: 297858 Committed r210213: <http://trac.webkit.org/changeset/210213>

WebKit Commit Bot

Comment 4 2016-12-30 08:17:29 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.