Bug 31138

Summary:

Uninitialized memory read in WebCore::Page::userStyleSheetLocationChanged()

Product:

WebKit

Reporter:

Dan Kegel <dank>

Component:

WebCore Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

OS X 10.5

Attachments:

Description	Flags
Supply missing length argument to avoid buffer overrun	none

Dan Kegel

Reported 2009-11-04 12:17:36 PST

Found via chromium linux layout valgrind bot on LayoutTests/platform/mac/fast/loader/user-stylesheet-fast-path.html . Valgrind complains Invalid read of size 1 at strlen (mc_replace_strmem.c:275) by WebCore::String::fromUTF8(char const*) (String.cpp:682) by WebCore::Page::userStyleSheetLocationChanged() (Page.cpp:545) Address 0xd60f4af is 0 bytes after a block of size 31 alloc'd at malloc (vg_replace_malloc.c:195) ... by WebCore::base64Decode(WTF::Vector<char, 0ul> const&, WTF::Vector<char, 0ul>&) (Base64.cpp:134) by WebCore::Page::userStyleSheetLocationChanged() (Page.cpp:544) Looks like someone forgot to specify a length. I'll attach a fix.

Attachments
Supply missing length argument to avoid buffer overrun (1.26 KB, patch) 2009-11-04 12:22 PST, Dan Kegel	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Dan Kegel

Comment 1 2009-11-04 12:22:48 PST

Created attachment 42510 [details] Supply missing length argument to avoid buffer overrun le voilà!

Alexey Proskuryakov

Comment 2 2009-11-04 15:57:34 PST

Comment on attachment 42510 [details] Supply missing length argument to avoid buffer overrun + * page/Page.cpp: + (WebCore::Page::userStyleSheetLocationChanged): Ideally, there should be per-function comments explaining changes. r=me as is.

Eric Seidel (no email)

Comment 3 2009-11-04 22:14:52 PST

Comment on attachment 42510 [details] Supply missing length argument to avoid buffer overrun I wonder if there are other places we call from UTF8 and need fixes? Since dan's not a committer, adding this to the cq.

WebKit Commit Bot

Comment 4 2009-11-04 22:39:51 PST

Comment on attachment 42510 [details] Supply missing length argument to avoid buffer overrun Clearing flags on attachment: 42510 Committed r50545: <http://trac.webkit.org/changeset/50545>

WebKit Commit Bot

Comment 5 2009-11-04 22:39:55 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.