Bug 51431

Summary:

-[WebBasePluginPackage isNativeLibraryData:] integer overflows on zero-sized data

Product:

WebKit

Reporter:

Cameron Zwarich (cpst) <zwarich>

Component:

Plug-ins

Assignee:

Cameron Zwarich (cpst) <zwarich>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

rcombs

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

OS:

OS X 10.5

Attachments:

Description	Flags
Proposed path	darin: review+, zwarich: commit-queue-

Cameron Zwarich (cpst)

Reported 2010-12-21 16:25:19 PST

This is due to bug 51144.

Attachments
Proposed path (1.25 KB, patch) 2010-12-21 16:28 PST, Cameron Zwarich (cpst)	darin: review+ zwarich: commit-queue-	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Cameron Zwarich (cpst)

Comment 1 2010-12-21 16:26:53 PST

<rdar://problem/8791757>

Cameron Zwarich (cpst)

Comment 2 2010-12-21 16:28:57 PST

Created attachment 77163 [details] Proposed path

Darin Adler

Comment 3 2010-12-21 16:37:03 PST

Comment on attachment 77163 [details] Proposed path View in context: https://bugs.webkit.org/attachment.cgi?id=77163&action=review > WebKit/mac/Plugins/WebBasePluginPackage.mm:358 > + if (!sizeInBytes) > + return NO; > + > Vector<uint32_t, 128> rawData((sizeInBytes - 1) / 4 + 1); I would suggest just using (sizeInBytes + 3) / 4 rather than adding this null check.

Cameron Zwarich (cpst)

Comment 4 2010-12-21 17:04:02 PST

Thanks, that sounds better.

Cameron Zwarich (cpst)

Comment 5 2010-12-21 18:16:32 PST

Fixed in r74446.

Alexey Proskuryakov

Comment 6 2010-12-23 10:39:31 PST

*** Bug 51519 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.