134351 – [Win] Fix potential buffer overrun in DLLLauncher

RESOLVED FIXED 134351

[Win] Fix potential buffer overrun in DLLLauncher

https://bugs.webkit.org/show_bug.cgi?id=134351

Summary [Win] Fix potential buffer overrun in DLLLauncher

Brent Fulgham

Reported 2014-06-26 10:44:41 PDT

Correct a possible buffer overrun in the DLLLauncher utility.

Attachments
Patch (1.13 KB, patch) 2014-06-26 10:46 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch (1.42 KB, patch) 2014-06-26 10:47 PDT, Brent Fulgham	no flags	Details Formatted Diff Diff
Patch (1.33 KB, patch) 2014-06-26 16:55 PDT, Brent Fulgham	darin: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2014-06-26 10:45:02 PDT

<rdar://problem/17469185>

Brent Fulgham

Comment 2 2014-06-26 10:46:41 PDT

Created attachment 233914 [details] Patch

Brent Fulgham

Comment 3 2014-06-26 10:47:19 PDT

Created attachment 233915 [details] Patch

Darin Adler

Comment 4 2014-06-26 11:41:15 PDT

Comment on attachment 233915 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=233915&action=review > Tools/win/DLLLauncher/DLLLauncherMain.cpp:177 > if (len >= bufSize) > - len = bufSize - 1; > + len = bufSize - 2; This change looks wrong. > Tools/win/DLLLauncher/DLLLauncherMain.cpp:179 > errorMessage[len + 1] = 0; This is the line of code that seems to have a bug. It should say errorMessage[len] = '\0';

Brent Fulgham

Comment 5 2014-06-26 16:54:17 PDT

Comment on attachment 233915 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=233915&action=review >> Tools/win/DLLLauncher/DLLLauncherMain.cpp:179 >> errorMessage[len + 1] = 0; > > This is the line of code that seems to have a bug. It should say errorMessage[len] = '\0'; You are right. I just read the documents on FormatMessage, and it returns the number of characters NOT including null. So len + 1 was always wrong, as it gave at least one wchar_t's worth of garbage at the end of the line.

Brent Fulgham

Comment 6 2014-06-26 16:55:59 PDT

Created attachment 233946 [details] Patch

Brent Fulgham

Comment 7 2014-06-26 17:04:26 PDT

Committed r170510: <http://trac.webkit.org/changeset/170510>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS All

Product WebKit

Component Tools / Tests

Assignee

Brent Fulgham

Reported

2014-06-26 10:44 PDT

Modified

2014-06-26 17:04 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks