Bug 234916

Summary: length argument passed to didReceiveData can never be negative.
Product: WebKit Reporter: Jean-Yves Avenard [:jya] <jean-yves.avenard>
Component: WebCore Misc.Assignee: Jean-Yves Avenard [:jya] <jean-yves.avenard>
Severity: Normal CC: ews-watchlist, hi, joepeck, pangle, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 232424    
Description Flags
Patch none

Description Jean-Yves Avenard [:jya] 2022-01-06 03:17:14 PST
As seen in bug 232424;

We have code pattern such as:

    void didReceiveData(const uint8_t* data, int dataLength) override
        if (!dataLength)

        if (dataLength == -1)
            dataLength = strlen(reinterpret_cast<const char*>(data));

        m_responseText.append(m_decoder->decode(data, dataLength));

If the dataLength argument passed is negative; then the length will be calculated from running strlen on the uint8_t buffer.

We also have this code pattern in:
- XMLHttpRequest::didReceiveData
- WorkerScriptLoader::didReceiveData

The common code path to end in those routines is from : DocumentThreadableLoader::didReceiveData

The data itself originates from the network process where to carry the size it will use either a size_t (unsigned) or a FragmentedSharedBuffer (also unsigned size() ) so the size_t ends up being cast to an int64_t over IPC and cast again to an int.

If the data is cached; it originates from CachedRawResource::didAddClient
            if (m_data) {
                m_data->forEachSegment([&](auto& segment) {
                    if (hasClient(*client))
                        client->dataReceived(*this, segment.data(), segment.size());
and here segment.size() returns a size_t

if the data is not cached, it comes from:
void SubresourceLoader::didReceiveBuffer or SubresourceLoader::didReceiveData; which in either case will use an unsigned for the dataLength.

For non-webkit 2 code; the curl library always use size_t to pass the data length ; cocoa platform are using NSData which also uses an unsigned int to specify the size.

In some code such as:
bool FrameLoader::willLoadMediaElementURL
we have length set to -1:

however, in this case the const uint8_t* is null and as such the length parameter is not used.

length/dataLength as used with didReceiveData methods can never be negative.

To simplify bug 232424, as mentioned in the review, we should simplify the code separately and remove the test checking that the length == -1.
Comment 1 Radar WebKit Bug Importer 2022-01-06 03:17:50 PST
Comment 2 Jean-Yves Avenard [:jya] 2022-01-06 03:53:14 PST
Created attachment 448485 [details]
Comment 3 EWS 2022-01-06 05:04:33 PST
Committed r287681 (245777@main): <https://commits.webkit.org/245777@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 448485 [details].