Bug 43203

Summary: WebBackForwardList::back/ForwardListWithLimit() crashes if passed a limit larger than max int
Product: WebKit Reporter: John Sullivan <sullivan>
Component: WebKit2Assignee: John Sullivan <sullivan>
Status: RESOLVED FIXED    
Severity: Normal CC: aroben
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch to cast to unsigned rather than int, to avoid wrapping sam: review+

John Sullivan
Reported 2010-07-29 12:36:24 PDT
WebBackForwardList::backListWithLimit() and forwardListWithLimit() crash if the limit parameter, an unsigned value, is larger than numeric_limits<int>::max(). The crash occurs here, with i == 0 but an empty m_entries: WebBackForwardListItem* item = m_entries[i].get(); The crash occurs due to this incorrect logic: unsigned size = std::min(backListCount(), static_cast<unsigned>(limit)); if (!size) return ImmutableArray::create(); This is attempting to return early for the empty case, but casting the unsigned limit to an int can make it negative, and thus size is negative, and thus the test for !size fails. I've got a fix that I'll send out after lunch, if nobody beats me to it.
Attachments
Patch to cast to unsigned rather than int, to avoid wrapping (1.77 KB, patch)
2010-07-29 13:59 PDT, John Sullivan 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
John Sullivan
Comment 1 2010-07-29 13:59:53 PDT
Created attachment 62989 [details] Patch to cast to unsigned rather than int, to avoid wrapping
Adam Roben (:aroben)
Comment 2 2010-07-29 14:06:05 PDT
Comment on attachment 62989 [details] Patch to cast to unsigned rather than int, to avoid wrapping > - unsigned size = std::min(backListCount(), static_cast<int>(limit)); > + unsigned size = std::min(static_cast<unsigned>(backListCount()), limit); Why does backListCount return an int? Seems like it should return unsigned.
John Sullivan
Comment 3 2010-07-29 14:24:41 PDT
I agree that backForwardCount() should not return an int. Probably all of these functions should deal with size_t's. But I didn't want to get into that territory for this fix. Checked in as http://trac.webkit.org/changeset/64306
John Sullivan
Comment 4 2010-07-29 14:36:06 PDT
I filed a bug about the inconsistent use of types in this area: <https://bugs.webkit.org/show_bug.cgi?id=43214>
Note You need to log in before you can comment on or make changes to this bug.