Bug 22932

Summary: Corrupt HTTP response cause NULL ptr
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Critical CC: ap
Priority: P2 Keywords: InRadar
Version: 525.x (Safari 3.2)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Small server that can be used to repro this case none

Description Berend-Jan Wever 2008-12-19 06:06:59 PST
I server replying with 'HTTP/.1 409\n:"\rB\n \n' can cause Safari to crash because of a NULL ptr Read AV.

A have a zip with a small server written in python that can be used to serve the repro. Install python, unzip the file and run:

ReproServer.py "AMD-SKYLINED-NL - Safari 525.26.13 (WebKit 525.26.2) - 0640018F - ReadAV(mov)[4]@CoreFoundation!CFCharacterSetInitInlineBuffer+0x357.asResponseLog.zuul3.pickle"

Then browser to http://localhost:28876 in Safari to see the crash.

As soon as I figure out how to upload it, I'll do so.
Comment 1 Berend-Jan Wever 2008-12-19 06:08:22 PST
Created attachment 26141 [details]
Small server that can be used to repro this case

As described in my first comment.
Comment 2 Alexey Proskuryakov 2008-12-19 12:42:00 PST
<rdar://problem/6459413>
Comment 3 Alexey Proskuryakov 2008-12-19 12:48:40 PST
Closing as INVALID, as HTTP response parsing in performed by Apple closed source frameworks. Thank you for reporting this issue, it will continue to be tracked by Apple internally.

I couldn't reproduce this on Mac OS X 10.5.6. I didn't try to reproduce on Windows.