Bug 140376 - Out of bounds read in IdentifierArena::makeIdentifier
Summary: Out of bounds read in IdentifierArena::makeIdentifier
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Geoffrey Garen
Keywords: InRadar
Depends on:
Reported: 2015-01-12 16:54 PST by Geoffrey Garen
Modified: 2015-12-08 14:22 PST (History)
2 users (show)

See Also:

Patch (2.38 KB, patch)
2015-01-12 17:00 PST, Geoffrey Garen
ggaren: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Geoffrey Garen 2015-01-12 16:54:56 PST
Out of bounds read in IdentifierArena::makeIdentifier
Comment 1 Geoffrey Garen 2015-01-12 16:55:54 PST
Alexey says:

IdentifierArena::makeIdentifier is sometimes called with an empty string, in which case it creates the identifier from garbage memory.

Steps to reproduce:
1. Add ASSERT(length > 0); to IdentifierArena::makeIdentifier.
2. Open https://bugs.webkit.org/enter_bug.cgi?product=WebKit

Results: the assertion fails.

This out of bounds read is not harmless, because the value affects logic in this function, and then goes into an actual identifier.

IdentifierArena::makeIdentifierLCharFromUChar has the same problem.
Comment 2 Geoffrey Garen 2015-01-12 16:58:27 PST
Comment 3 Geoffrey Garen 2015-01-12 17:00:41 PST
Created attachment 244479 [details]
Comment 4 Geoffrey Garen 2015-01-12 17:03:03 PST
Comment on attachment 244479 [details]

Alexey wrote and tested this patch. I tested it some more, and reviewed it.
Comment 5 Geoffrey Garen 2015-01-12 17:04:34 PST
Committed r178311: <http://trac.webkit.org/changeset/178311>