Bug 54737

Summary:

Memory allocation error in convertV8ObjectToNPVariant() for strings

Product:

WebKit

Reporter:

Steve Block <steveblock>

Component:

WebCore Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

japhet, steveblock

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	kling: review+

Steve Block

Reported 2011-02-18 03:08:48 PST

http://trac.webkit.org/changeset/76264 modified convertV8ObjectToNPVariant() to use malloc() and memcpy() rather than strdup(). This introduced a crashing bug as the null terminator is not included in the length used to allocate memory and copy the string.

Attachments
Patch (1.72 KB, patch) 2011-02-18 04:16 PST, Steve Block	kling: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Steve Block

Comment 1 2011-02-18 04:16:31 PST

Created attachment 82941 [details] Patch

Andreas Kling

Comment 2 2011-02-18 04:23:55 PST

Comment on attachment 82941 [details] Patch LGTM.

Steve Block

Comment 3 2011-02-18 04:27:58 PST

Committed r78994: <http://trac.webkit.org/changeset/78994>

Note You need to log in before you can comment on or make changes to this bug.