RESOLVED WONTFIX 12081
Crash in Windows cookie code if cookies change between calls 
https://bugs.webkit.org/show_bug.cgi?id=12081
Summary Crash in Windows cookie code if cookies change between calls
Brett Wilson (Google)
Reported 2007-01-02 13:25:39 PST
in CookieJarWin.cpp, we call InternetGetCookie to get the length of the buffer, then call it again once a buffer of the correct size has been constructed. However, the cookies can change between these values if another process (or possibly some other cases, I'm not sure) changes the cookies for the page between these calls. In particular, if the cookies are deleted, we will make a string of length -1, causing a crash. If more cookies are added, the returned cookies will be truncated.
Attachments
Patch to CookieJarWin.cpp (1.93 KB, patch)
2007-01-02 13:31 PST, Brett Wilson (Google) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brett Wilson (Google)
Comment 1 2007-01-02 13:31:00 PST
Created attachment 12172 [details] Patch to CookieJarWin.cpp This patch requests the cookies in a loop until the buffer is large enough to hold the cookies. As long as the length of the cookies doesn't grow monotonically, this will terminate.
Brett Wilson (Google)
Comment 2 2007-01-21 11:32:37 PST
This patch still causes crashes. InternetGetCookie is buggy and will write one past the end of the buffer on ERROR_INVALID_PARAMETER. At the top of the loop: count = cookieBuffer.size() - 1; and at the bottom, we need: cookieBuffer.resize(count + 1); to compensate.
Alexey Proskuryakov
Comment 3 2007-07-15 01:13:13 PDT
Is this still a problem?
Brett Wilson (Google)
Comment 4 2007-08-02 08:53:53 PDT
In Safari on Windows, this is not a problem. CookieJarWin.cpp is still in the tree, though, and it still has this bug, it just isn't used by anybody. Probably that file should just be deleted.
Adam Roben (:aroben)
Comment 5 2007-08-02 11:59:24 PDT
(In reply to comment #4) > In Safari on Windows, this is not a problem. CookieJarWin.cpp is still in the > tree, though, and it still has this bug, it just isn't used by anybody. > Probably that file should just be deleted. A patch to delete that file (and others not currently being used) would be welcome. There's no point keeping unused files in trunk, and they can always be resurrected from an old revision if desired.
Brett Wilson (Google)
Comment 6 2007-12-20 11:22:15 PST
It looks like this file is now used by the new Windows port. The buggy code is still there, though.
Adam Roben (:aroben)
Comment 7 2008-01-02 06:50:24 PST
(In reply to comment #6) > It looks like this file is now used by the new Windows port. The buggy code is > still there, though. ...but it sounds like we haven't seen this to be a problem in practice with the CFNetwork cookies implementation. Would still be nice to fix sometime, but it's not urgent.
Basuke Suzuki
Comment 8 2017-02-28 15:01:48 PST
Based on https://trac.webkit.org/changeset/176672 , this bug is no longer valid.
Note You need to log in before you can comment on or make changes to this bug.