150931 – TestWebKitAPI crashed in TestWebKitAPI: TestWebKitAPI::SharedBufferTest_copyBufferCreatedWithContentsOfExistingFile_Test::TestBody

Bug 150931 - TestWebKitAPI crashed in TestWebKitAPI: TestWebKitAPI::SharedBufferTest_copyBufferCreatedWithContentsOfExistingFile_Test::TestBody

Summary: TestWebKitAPI crashed in TestWebKitAPI: TestWebKitAPI::SharedBufferTest_copyB...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Tools / Tests (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	David Kilzer (:ddkilzer)

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2015-11-05 06:54 PST by David Kilzer (:ddkilzer)
Modified:	2015-11-05 15:22 PST (History)
CC List:	6 users (show)

See Also:

Attachments
Patch v1 (2.79 KB, patch) 2015-11-05 07:09 PST, David Kilzer (:ddkilzer)	youennf: review+	Details \| Formatted Diff \| Diff
Patch to fix build failures (2.82 KB, patch) 2015-11-05 14:05 PST, David Kilzer (:ddkilzer)	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Kilzer (:ddkilzer) 2015-11-05 06:54:05 PST

TestWebKitAPI crashed in TestWebKitAPI: TestWebKitAPI::SharedBufferTest_copyBufferCreatedWithContentsOfExistingFile_Test::TestBody with ASan enabled.

The bug is that strnstr() assumes the second argument is null-terminated, and the implementation of strnstr() on OS X calls strlen() on the second argument.  This causes an out-of-bounds read if the memory after the second argument doesn't happen to contain a NULL character.

Comment 1 David Kilzer (:ddkilzer) 2015-11-05 06:54:17 PST

<rdar://problem/23409384>

Comment 2 David Kilzer (:ddkilzer) 2015-11-05 07:09:49 PST

Created attachment 264864 [details]
Patch v1

Comment 3 youenn fablet 2015-11-05 07:37:44 PST

Comment on attachment 264864 [details]
Patch v1

View in context: https://bugs.webkit.org/attachment.cgi?id=264864&action=review

> Tools/TestWebKitAPI/Tests/WebCore/SharedBuffer.cpp:95
> +    EXPECT_GT(buffer->size(), 0);

Maybe EXPECT_TRUE(!!buffer->size()); will make mac bots happy?

Comment 4 Darin Adler 2015-11-05 08:36:20 PST

Comment on attachment 264864 [details]
Patch v1

View in context: https://bugs.webkit.org/attachment.cgi?id=264864&action=review

>> Tools/TestWebKitAPI/Tests/WebCore/SharedBuffer.cpp:95
>> +    EXPECT_GT(buffer->size(), 0);
> 
> Maybe EXPECT_TRUE(!!buffer->size()); will make mac bots happy?

It’s also possible that 0U instead of 0 will work.

Comment 5 David Kilzer (:ddkilzer) 2015-11-05 14:05:39 PST

Created attachment 264881 [details]
Patch to fix build failures

Comment 6 David Kilzer (:ddkilzer) 2015-11-05 15:22:10 PST

Committed r192085: <http://trac.webkit.org/changeset/192085>