RESOLVED FIXED 155739
[Win] SharedBuffer::copy() can cause crash 
https://bugs.webkit.org/show_bug.cgi?id=155739
Summary [Win] SharedBuffer::copy() can cause crash
Brent Fulgham
Reported 2016-03-21 17:36:00 PDT
As reported by Dongseong Hwang back in 2012: After SharedBuffer::copy(), SharedBuffer::append() often causes segmentation fault, because copy() calls clone->m_buffer.append(m_segments[i], segmentSize) even if 'i' is the last index. The data size of m_segments.last() is often less than segmentSize. So, in the cloned instance m_size < (m_buffer.size() + SUM(m_segments[i].size())). This patch appends the exact size of the last segment instead of segmentSize. We don't encounter this on iOS/OS X because the segments always arrive in full segments. However, Windows, and perhaps other ports, may encounter this problem. This failure is revealed by the TestWebKitAPI "SharedBufferTest::copy())" test case.
Attachments
Correct Windows test failure. (2.17 KB, patch)
2016-03-21 17:43 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (3.73 KB, patch)
2016-03-21 17:51 PDT, Brent Fulgham 		rniwa: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2016-03-21 17:43:46 PDT
Created attachment 274631 [details] Correct Windows test failure.
Brent Fulgham
Comment 2 2016-03-21 17:51:57 PDT
Created attachment 274632 [details] Patch
Ryosuke Niwa
Comment 3 2016-03-21 18:48:12 PDT
Comment on attachment 274632 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=274632&action=review > Source/WebCore/platform/SharedBuffer.cpp:272 > + unsigned positionInSegment = m_size - m_buffer->data.size() - lastIndex * segmentSize; I'd call this variable sizeOfLastSegment instead.
Brent Fulgham
Comment 4 2016-03-21 19:20:57 PDT
Martin: FYI in case this affects Gtk+.
Brent Fulgham
Comment 5 2016-03-22 08:56:59 PDT
Comment on attachment 274632 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=274632&action=review >> Source/WebCore/platform/SharedBuffer.cpp:272 >> + unsigned positionInSegment = m_size - m_buffer->data.size() - lastIndex * segmentSize; > > I'd call this variable sizeOfLastSegment instead. Will do!
Brent Fulgham
Comment 6 2016-03-22 09:02:55 PDT
Committed in r198530 <http://trac.webkit.org/changeset/198530>.
Note You need to log in before you can comment on or make changes to this bug.