Bug 234724

Summary: SharedBuffer::takeData() is still dangerous
Product: WebKit Reporter: Jean-Yves Avenard [:jya] <jean-yves.avenard>
Component: WebCore Misc.Assignee: Jean-Yves Avenard [:jya] <jean-yves.avenard>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=228161
Bug Depends on:    
Bug Blocks: 232424    
Attachments:
Description Flags
Patch none

Jean-Yves Avenard [:jya]
Reported 2021-12-28 06:55:22 PST
This issue was first addressed in bug 228161 What this change did was to ensure that there was only one reference to the SharedBuffer before taking the data's vector otherwise would return a copy instead. But this isn't a sufficient condition to ensure that the DataSegment itself isn't shared. The same DataSegment can be shared across multiple SharedBuffers Consider the following code: auto buffer = SharedBuffer::create("my_data", 7); auto copy = buffer->copy(); auto innerData = copy->extractData(); now the original SharedBuffer `buffer` is empty (but still has a size of 7) as SharedBuffer::copy() will only do a shallow copy of the SharedBuffer. This is what caused the remaining errors in bug 232424.
Attachments
Patch (4.11 KB, patch)
2021-12-28 16:20 PST, Jean-Yves Avenard [:jya] 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-12-28 06:55:56 PST
<rdar://problem/86957233>
Jean-Yves Avenard [:jya]
Comment 2 2021-12-28 16:20:33 PST
Created attachment 448059 [details] Patch
EWS
Comment 3 2021-12-30 19:21:19 PST
Committed r287489 (245624@main): <https://commits.webkit.org/245624@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 448059 [details].
Note You need to log in before you can comment on or make changes to this bug.