Bug 65420

Summary:

WebKit2 crashes on attempt to decode null image

Product:

WebKit

Reporter:

Oleg Romashin (:romaxa) <romaxa>

Component:

WebKit2

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

andersca, darin

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

64321

Attachments:

Description	Flags
Fix crash on attempt to decode null image	darin: review-
Fix crash on attempt to decode null image v2	darin: review-

Oleg Romashin (:romaxa)

Reported 2011-07-30 16:54:43 PDT

I'm using Qt WebKit2 build http://svn.webkit.org/repository/webkit/trunk@91765 (before Qt5 changes) open maps.google.com try to scroll google maps content Result: crash Crash start happening after bug 64321 fixed. #0 0xb55e880d in WebKit::ShareableBitmap::createQImage (this=0x0) at ../../../Source/WebKit2/Shared/qt/ShareableBitmapQt.cpp:42 #1 0xb55e89c1 in WebKit::ShareableBitmap::createGraphicsContext (this=0x0) at ../../../Source/WebKit2/Shared/qt/ShareableBitmapQt.cpp:56 #2 0xb55d0692 in CoreIPC::encodeImage (encoder=0xacc28758, image=0x9786a58) at ../../../Source/WebKit2/Shared/WebCoreArgumentCoders.cpp:294 #3 0xb55d0927 in CoreIPC::ArgumentCoder<WebCore::Cursor>::encode ( encoder=0xacc28758, cursor=...) at ../../../Source/WebKit2/Shared/WebCoreArgumentCoders.cpp:324 #4 0xb563a720 in CoreIPC::ArgumentEncoder::encode<WebCore::Cursor> ( this=0xacc28758, t=...) at ../../../Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.h:66 #5 0xb563a634 in CoreIPC::Arguments1<WebCore::Cursor const&>::encode ( this=0xbfd4bf9c, encoder=0xacc28758) at ../../../Source/WebKit2/Platform/CoreIPC/Arguments.h:72 #6 0xb563a3b5 in CoreIPC::ArgumentCoder<Messages::WebPageProxy::SetCursor>::encode (encoder=0xacc28758, t=...) at ../../../Source/WebKit2/Platform/CoreIPC/ArgumentCoder.h:39 #7 0xb5639ed6 in CoreIPC::ArgumentEncoder::encode<Messages::WebPageProxy::SetCursor> (this=0xacc28758, t=...) at ../../../Source/WebKit2/Platform/CoreIPC/ArgumentEncoder.h:66 #8 0xb5638fe8 in CoreIPC::MessageSender<WebKit::WebPage>::send<Messages::WebPageProxy::SetCursor> (this=0xb0c00b10, message=..., destinationID=1) ---Type <return> to continue, or q <return> to quit--- at ../../../Source/WebKit2/Platform/CoreIPC/MessageSender.h:44 #9 0xb56378f7 in CoreIPC::MessageSender<WebKit::WebPage>::send<Messages::WebPageProxy::SetCursor> (this=0xb0c00b10, message=...) at ../../../Source/WebKit2/Platform/CoreIPC/MessageSender.h:38 #10 0xb56352d3 in WebKit::WebChromeClient::setCursor (this=0xb0c00488, cursor=...) at ../../../Source/WebKit2/WebProcess/WebCoreSupport/WebChromeClient.cpp:648 #11 0xb5b0f9b7 in WebCore::Chrome::setCursor (this=0xb0c00fb8, cursor=...) at ../../../Source/WebCore/page/Chrome.cpp:487 #12 0xb5dd9d99 in QXmlStreamAttribute::namespaceUri (this=0xbfd4c0a0) at /usr/include/qt4/QtCore/qxmlstream.h:148 #13 0xb5b3862f in WebCore::EventHandler::handleMouseReleaseEvent ( this=0x9668f44, mouseEvent=...) at ../../../Source/WebCore/page/EventHandler.cpp:1718 #14 0xb5b37e87 in WebCore::EventHandler::handleMouseMoveEvent (this=0x9668f44, mouseEvent=..., hoveredNode=0xbfd4c178) at ../../../Source/WebCore/page/EventHandler.cpp:1636 #15 0xb5578f14 in WebKit::handleMouseEvent (mouseEvent=..., page=0xb0c00f00) at ../../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1053 #16 0xb5579034 in WebKit::WebPage::mouseEvent (this=0xb0c00b10, mouseEvent=...) at ../../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1079 #17 0xb559f779 in CoreIPC::callMemberFunction<WebKit::WebPage, void (WebKit::Web---Type <return> to continue, or q <return> to quit--- Page::*)(WebKit::WebMouseEvent const&), WebKit::WebMouseEvent> (args=..., object=0xb0c00b10, function= (void (WebKit::WebPage::*)(WebKit::WebPage *, const WebKit::WebMouseEvent &)) 0xb5578f60 <WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&)>) at ../../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:19 #18 0xb559d553 in CoreIPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebMouseEvent const&)> ( argumentDecoder=0x9a18628, object=0xb0c00b10, function= (void (WebKit::WebPage::*)(WebKit::WebPage *, const WebKit::WebMouseEvent &)) 0xb5578f60 <WebKit::WebPage::mouseEvent(WebKit::WebMouseEvent const&)>) at ../../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:277 #19 0xb559be44 in WebKit::WebPage::didReceiveWebPageMessage (this=0xb0c00b10, messageID=..., arguments=0x9a18628) at generated/WebPageMessageReceiver.cpp:104 #20 0xb557d00f in WebKit::WebPage::didReceiveMessage (this=0xb0c00b10, connection=0x963a528, messageID=..., arguments=0x9a18628) at ../../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:2086 #21 0xb558950b in WebKit::WebProcess::didReceiveMessage (this=0x963a190, connection=0x963a528, messageID=..., arguments=0x9a18628) at ../../../Source/WebKit2/WebProcess/WebProcess.cpp:641 #22 0xb55b80bc in CoreIPC::Connection::dispatchMessage (this=0x963a528, message=...) at ../../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:677 #23 0xb55b8265 in CoreIPC::Connection::dispatchMessages (this=0x963a528) ---Type <return> to continue, or q <return> to quit--- at ../../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:704 #24 0xb55c0a21 in MemberFunctionWorkItem0<CoreIPC::Connection>::execute ( this=0x99f6c10) at ../../../Source/WebKit2/Platform/WorkItem.h:79 #25 0xb54be18d in RunLoop::performWork (this=0x9638048) at ../../../Source/WebKit2/Platform/RunLoop.cpp:63 #26 0xb54bf164 in RunLoop::TimerObject::performWork (this=0x9525840) at ../../../Source/WebKit2/Platform/qt/RunLoopQt.cpp:49 #27 0xb54bfc16 in RunLoop::TimerObject::qt_metacall (this=0x9525840, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x98f49d8) at ./RunLoopQt.moc:71 #28 0xb2a36e4d in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) () from /usr/lib/libQtCore.so.4 #29 0xb2a41795 in QMetaCallEvent::placeMetaCall(QObject*) () from /usr/lib/libQtCore.so.4 #30 0xb2a48caf in QObject::event(QEvent*) () from /usr/lib/libQtCore.so.4 #31 0xb2e090a4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4 #32 0xb2e0e432 in QApplication::notify(QObject*, QEvent*) () from /usr/lib/libQtGui.so.4 #33 0xb2a30a9e in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/libQtCore.so.4 #34 0xb2a34264 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/libQtCore.so.4

Attachments
Fix crash on attempt to decode null image (1.12 KB, patch) 2011-07-30 22:46 PDT, Oleg Romashin (:romaxa)	darin: review-	Details Formatted Diff Diff
Fix crash on attempt to decode null image v2 (1.21 KB, patch) 2011-07-30 23:07 PDT, Oleg Romashin (:romaxa)	darin: review-	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Oleg Romashin (:romaxa)

Comment 1 2011-07-30 22:46:01 PDT

Created attachment 102452 [details] Fix crash on attempt to decode null image

Oleg Romashin (:romaxa)

Comment 2 2011-07-30 23:07:40 PDT

Created attachment 102455 [details] Fix crash on attempt to decode null image v2 another version suggested in https://bugs.webkit.org/show_bug.cgi?id=64321#c6

Darin Adler

Comment 3 2011-07-30 23:08:42 PDT

Comment on attachment 102452 [details] Fix crash on attempt to decode null image This change is incorrect. While this will not crash, it will create an encoded argument that will not decode properly on the receiving end. The decode function will decode the cursor type, see that it is Custom, then call decodeImage. But decodeImage will read the data of the next thing encoded in the stream, and the decode process will then fail because we’ll be off by at least one byte. The correct way to change this is to make the null image encode in a way that can be decoded on the other end. One way this could be accomplished would be to encode a boolean to indicate whether an image is present before encoding the image and then decode that boolean in the cursor decode function. If the boolean says the image is null the decoder knows not to try to decode the image. If the boolean says the image is non-null then it knows it must decode the image.

Darin Adler

Comment 4 2011-07-30 23:09:52 PDT

Comment on attachment 102455 [details] Fix crash on attempt to decode null image v2 This is wrong for the same reason the other one is. Encoding no bytes at all does not work on the decoding side. The decodeImage function has no way to know that the image was null, and so will attempt to decode the image, and thus the decoding process will be off.

Alexey Proskuryakov

Comment 5 2011-07-31 20:16:39 PDT

Duplicate of bug 65420?

Alexey Proskuryakov

Comment 6 2011-07-31 20:16:59 PDT

I mean, duplicate of bug 64802?

Darin Adler

Comment 7 2011-07-31 20:21:13 PDT

*** This bug has been marked as a duplicate of bug 64802 ***

Note You need to log in before you can comment on or make changes to this bug.