150931 – TestWebKitAPI crashed in TestWebKitAPI: TestWebKitAPI::SharedBufferTest_copyBufferCreatedWithContentsOfExistingFile_Test::TestBody

RESOLVED FIXED 150931

TestWebKitAPI crashed in TestWebKitAPI: TestWebKitAPI::SharedBufferTest_copyBufferCreatedWithContentsOfExistingFile_Test::TestBody

https://bugs.webkit.org/show_bug.cgi?id=150931

Summary TestWebKitAPI crashed in TestWebKitAPI: TestWebKitAPI::SharedBufferTest_copyB...

David Kilzer (:ddkilzer)

Reported 2015-11-05 06:54:05 PST

TestWebKitAPI crashed in TestWebKitAPI: TestWebKitAPI::SharedBufferTest_copyBufferCreatedWithContentsOfExistingFile_Test::TestBody with ASan enabled. The bug is that strnstr() assumes the second argument is null-terminated, and the implementation of strnstr() on OS X calls strlen() on the second argument. This causes an out-of-bounds read if the memory after the second argument doesn't happen to contain a NULL character.

Attachments
Patch v1 (2.79 KB, patch) 2015-11-05 07:09 PST, David Kilzer (:ddkilzer)	youennf: review+	Details Formatted Diff Diff
Patch to fix build failures (2.82 KB, patch) 2015-11-05 14:05 PST, David Kilzer (:ddkilzer)	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

David Kilzer (:ddkilzer)

Comment 1 2015-11-05 06:54:17 PST

<rdar://problem/23409384>

David Kilzer (:ddkilzer)

Comment 2 2015-11-05 07:09:49 PST

Created attachment 264864 [details] Patch v1

youenn fablet

Comment 3 2015-11-05 07:37:44 PST

Comment on attachment 264864 [details] Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=264864&action=review > Tools/TestWebKitAPI/Tests/WebCore/SharedBuffer.cpp:95 > + EXPECT_GT(buffer->size(), 0); Maybe EXPECT_TRUE(!!buffer->size()); will make mac bots happy?

Darin Adler

Comment 4 2015-11-05 08:36:20 PST

Comment on attachment 264864 [details] Patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=264864&action=review >> Tools/TestWebKitAPI/Tests/WebCore/SharedBuffer.cpp:95 >> + EXPECT_GT(buffer->size(), 0); > > Maybe EXPECT_TRUE(!!buffer->size()); will make mac bots happy? It’s also possible that 0U instead of 0 will work.

David Kilzer (:ddkilzer)

Comment 5 2015-11-05 14:05:39 PST

Created attachment 264881 [details] Patch to fix build failures

David Kilzer (:ddkilzer)

Comment 6 2015-11-05 15:22:10 PST

Committed r192085: <http://trac.webkit.org/changeset/192085>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component Tools / Tests

Assignee

David Kilzer (:ddkilzer)

Reported

2015-11-05 06:54 PST

Modified

2015-11-05 15:22 PST History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks