RESOLVED FIXED140376
Out of bounds read in IdentifierArena::makeIdentifier 
https://bugs.webkit.org/show_bug.cgi?id=140376
Summary Out of bounds read in IdentifierArena::makeIdentifier
Geoffrey Garen
Reported 2015-01-12 16:54:56 PST
Out of bounds read in IdentifierArena::makeIdentifier
Attachments
Patch (2.38 KB, patch)
2015-01-12 17:00 PST, Geoffrey Garen 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2015-01-12 16:55:54 PST
Alexey says: IdentifierArena::makeIdentifier is sometimes called with an empty string, in which case it creates the identifier from garbage memory. Steps to reproduce: 1. Add ASSERT(length > 0); to IdentifierArena::makeIdentifier. 2. Open https://bugs.webkit.org/enter_bug.cgi?product=WebKit Results: the assertion fails. This out of bounds read is not harmless, because the value affects logic in this function, and then goes into an actual identifier. IdentifierArena::makeIdentifierLCharFromUChar has the same problem.
Geoffrey Garen
Comment 2 2015-01-12 16:58:27 PST
<rdar://problem/19437703>
Geoffrey Garen
Comment 3 2015-01-12 17:00:41 PST
Created attachment 244479 [details] Patch
Geoffrey Garen
Comment 4 2015-01-12 17:03:03 PST
Comment on attachment 244479 [details] Patch Alexey wrote and tested this patch. I tested it some more, and reviewed it.
Geoffrey Garen
Comment 5 2015-01-12 17:04:34 PST
Committed r178311: <http://trac.webkit.org/changeset/178311>
Note You need to log in before you can comment on or make changes to this bug.