Bug 22932

Summary: Corrupt HTTP response cause NULL ptr
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Critical CC: ap
Priority: P2 Keywords: InRadar
Version: 525.x (Safari 3.2)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Small server that can be used to repro this case none

Berend-Jan Wever
Reported 2008-12-19 06:06:59 PST
I server replying with 'HTTP/.1 409\n:"\rB\n \n' can cause Safari to crash because of a NULL ptr Read AV. A have a zip with a small server written in python that can be used to serve the repro. Install python, unzip the file and run: ReproServer.py "AMD-SKYLINED-NL - Safari 525.26.13 (WebKit 525.26.2) - 0640018F - ReadAV(mov)[4]@CoreFoundation!CFCharacterSetInitInlineBuffer+0x357.asResponseLog.zuul3.pickle" Then browser to http://localhost:28876 in Safari to see the crash. As soon as I figure out how to upload it, I'll do so.
Attachments
Small server that can be used to repro this case (1.61 KB, application/x-zip-compressed)
2008-12-19 06:08 PST, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2008-12-19 06:08:22 PST
Created attachment 26141 [details] Small server that can be used to repro this case As described in my first comment.
Alexey Proskuryakov
Comment 2 2008-12-19 12:42:00 PST
<rdar://problem/6459413>
Alexey Proskuryakov
Comment 3 2008-12-19 12:48:40 PST
Closing as INVALID, as HTTP response parsing in performed by Apple closed source frameworks. Thank you for reporting this issue, it will continue to be tracked by Apple internally. I couldn't reproduce this on Mac OS X 10.5.6. I didn't try to reproduce on Windows.
Note You need to log in before you can comment on or make changes to this bug.