Bug 187239 - [WPE][GTK] Another use after free in xdgmime
Summary: [WPE][GTK] Another use after free in xdgmime
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: Other
Hardware: PC Linux
: P2 Normal
Assignee: Michael Catanzaro
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-01 19:54 PDT by Michael Catanzaro
Modified: 2018-07-03 07:15 PDT (History)
6 users (show)

See Also:

Attachments
Patch (2.45 KB, patch)
2018-07-02 09:25 PDT, Michael Catanzaro 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews204 for win-future (12.77 MB, application/zip)
2018-07-02 12:13 PDT, EWS Watchlist 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2018-07-01 19:54:00 PDT 
Chromium has this patch to xdgmime:

diff --git a/base/third_party/xdg_mime/xdgmime.c b/base/third_party/xdg_mime/xdgmime.c
index c7b16bb..6dc58c2 100644
--- a/base/third_party/xdg_mime/xdgmime.c
+++ b/base/third_party/xdg_mime/xdgmime.c
@@ -558,13 +558,13 @@ xdg_mime_get_mime_type_for_file (const char  *file_name,
   mime_type = _xdg_mime_magic_lookup_data (global_magic, data, bytes_read, NULL,
 					   mime_types, n);
 
-  free (data);
   fclose (file);
 
-  if (mime_type)
-    return mime_type;
+  if (!mime_type)
+    mime_type = _xdg_binary_or_text_fallback(data, bytes_read);
 
-  return _xdg_binary_or_text_fallback(data, bytes_read);
+  free (data);
+  return mime_type;
 }
 
 const char *

I'm pretty sure this code is never executed by either Chromium or WebKit, but I'm not comfortable with leaving it broken, so we should include this patch. It has been submitted to upstream at https://bugs.freedesktop.org/show_bug.cgi?id=100733, but the maintainer has indicated a disinterest in continuing to maintain upstream xdgmime, probably because it is xdgmime.
Comment 1 Michael Catanzaro 2018-07-02 09:25:59 PDT 
Created attachment 344105 [details]
Patch
Comment 2 EWS Watchlist 2018-07-02 12:13:10 PDT 
Comment on attachment 344105 [details]
Patch

Attachment 344105 [details] did not pass win-ews (win):
Output: https://webkit-queues.webkit.org/results/8414330

New failing tests:
http/tests/preload/onload_event.html
Comment 3 EWS Watchlist 2018-07-02 12:13:21 PDT 
Created attachment 344126 [details]
Archive of layout-test-results from ews204 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews204  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Comment 4 Carlos Garcia Campos 2018-07-02 23:39:01 PDT 
Comment on attachment 344105 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=344105&action=review

> Source/ThirdParty/xdgmime/README.webkit:24
> +Changes included from Chromium:
> +
> + - c432cac0a0beb77c63081536fc9d53b40e642cbf small patch that fixes potential crash in xdg_mime_get_mime_type_for_file() - use of pointer after being freed.

This should be upstreamed, no?
Comment 5 WebKit Commit Bot 2018-07-03 00:06:05 PDT 
Comment on attachment 344105 [details]
Patch

Clearing flags on attachment: 344105

Committed r233457: <https://trac.webkit.org/changeset/233457>
Comment 6 WebKit Commit Bot 2018-07-03 00:06:06 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 7 Michael Catanzaro 2018-07-03 07:15:04 PDT 
Like I said, I submitted it for upstream in https://bugs.freedesktop.org/show_bug.cgi?id=100733, but I do not expect it to be accepted.

And this code is not compiled in glib's copy.