Bug 31138

Summary: Uninitialized memory read in WebCore::Page::userStyleSheetLocationChanged()
Product: WebKit Reporter: Dan Kegel <dank>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Supply missing length argument to avoid buffer overrun none

Description Dan Kegel 2009-11-04 12:17:36 PST 
Found via chromium linux layout valgrind bot on
LayoutTests/platform/mac/fast/loader/user-stylesheet-fast-path.html .
Valgrind complains

Invalid read of size 1
   at strlen (mc_replace_strmem.c:275)
   by WebCore::String::fromUTF8(char const*) (String.cpp:682)
   by WebCore::Page::userStyleSheetLocationChanged() (Page.cpp:545)
 Address 0xd60f4af is 0 bytes after a block of size 31 alloc'd
   at malloc (vg_replace_malloc.c:195)
   ...
   by WebCore::base64Decode(WTF::Vector<char, 0ul> const&, WTF::Vector<char, 0ul>&) (Base64.cpp:134)
   by WebCore::Page::userStyleSheetLocationChanged() (Page.cpp:544)

Looks like someone forgot to specify a length.  I'll attach a fix.
Comment 1 Dan Kegel 2009-11-04 12:22:48 PST 
Created attachment 42510 [details]
Supply missing length argument to avoid buffer overrun

le voilĂ !
Comment 2 Alexey Proskuryakov 2009-11-04 15:57:34 PST 
Comment on attachment 42510 [details]
Supply missing length argument to avoid buffer overrun

+        * page/Page.cpp:
+        (WebCore::Page::userStyleSheetLocationChanged):

Ideally, there should be per-function comments explaining changes.

r=me as is.
Comment 3 Eric Seidel (no email) 2009-11-04 22:14:52 PST 
Comment on attachment 42510 [details]
Supply missing length argument to avoid buffer overrun

I wonder if there are other places we call from UTF8 and need fixes? Since dan's not a committer, adding this to the cq.
Comment 4 WebKit Commit Bot 2009-11-04 22:39:51 PST 
Comment on attachment 42510 [details]
Supply missing length argument to avoid buffer overrun

Clearing flags on attachment: 42510

Committed r50545: <http://trac.webkit.org/changeset/50545>
Comment 5 WebKit Commit Bot 2009-11-04 22:39:55 PST 
All reviewed patches have been landed.  Closing bug.