Bug 44096

Summary: Geolocation clearWatch() needs to protect against invalid IDs
Product: WebKit Reporter: Steve Block <steveblock>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, ddkilzer, jorlow, jschuh, steveblock
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch none

Steve Block
Reported 2010-08-17 03:05:35 PDT
Geolocation uses HashMap to store watch requests, keyed off the watch ID. Key values of 0 or -1 must not be used with HashMap. Geolocation does not use these values internally, but we need to protect against them being passed to clearWatch() from JavaScript. This was first reported in https://bugs.webkit.org/show_bug.cgi?id=39879#c60
Attachments
Patch (6.58 KB, patch)
2010-08-17 03:19 PDT, Steve Block 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Steve Block
Comment 1 2010-08-17 03:19:44 PDT
Created attachment 64570 [details] Patch
Jeremy Orlow
Comment 2 2010-08-17 13:36:12 PDT
Comment on attachment 64570 [details] Patch r=me Why would this crash though? Maybe the problem should be fixed within HashMap (or whatever's causing it)?
Darin Adler
Comment 3 2010-08-17 14:09:58 PDT
(In reply to comment #2) > Maybe the problem should be fixed within HashMap (or whatever's causing it)? Changing HashMap itself directly is probably out of the question. HashMap achieves its speed in part by reserving values. We could use a hash table with a different design, but we’ve repeatedly reaffirmed our desire to use this. Putting the fix closer to the use of the HashMap object would make sense for some call sites like these. We could add some new functions to HashMap called safeFind and safeGet that would work more slowly and check for the empty and deleted values, for uses in sites like these where we need the reliable but slower behavior. That might be a cleaner fix than the higher level validity checks.
WebKit Commit Bot
Comment 4 2010-08-17 16:06:07 PDT
Comment on attachment 64570 [details] Patch Clearing flags on attachment: 64570 Committed r65570: <http://trac.webkit.org/changeset/65570>
WebKit Commit Bot
Comment 5 2010-08-17 16:06:12 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.