RESOLVED FIXED 187239
[WPE][GTK] Another use after free in xdgmime 
https://bugs.webkit.org/show_bug.cgi?id=187239
Summary [WPE][GTK] Another use after free in xdgmime
Michael Catanzaro
Reported 2018-07-01 19:54:00 PDT
Chromium has this patch to xdgmime: diff --git a/base/third_party/xdg_mime/xdgmime.c b/base/third_party/xdg_mime/xdgmime.c index c7b16bb..6dc58c2 100644 --- a/base/third_party/xdg_mime/xdgmime.c +++ b/base/third_party/xdg_mime/xdgmime.c @@ -558,13 +558,13 @@ xdg_mime_get_mime_type_for_file (const char *file_name, mime_type = _xdg_mime_magic_lookup_data (global_magic, data, bytes_read, NULL, mime_types, n); - free (data); fclose (file); - if (mime_type) - return mime_type; + if (!mime_type) + mime_type = _xdg_binary_or_text_fallback(data, bytes_read); - return _xdg_binary_or_text_fallback(data, bytes_read); + free (data); + return mime_type; } const char * I'm pretty sure this code is never executed by either Chromium or WebKit, but I'm not comfortable with leaving it broken, so we should include this patch. It has been submitted to upstream at https://bugs.freedesktop.org/show_bug.cgi?id=100733, but the maintainer has indicated a disinterest in continuing to maintain upstream xdgmime, probably because it is xdgmime.
Attachments
Patch (2.45 KB, patch)
2018-07-02 09:25 PDT, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews204 for win-future (12.77 MB, application/zip)
2018-07-02 12:13 PDT, EWS Watchlist 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2018-07-02 09:25:59 PDT
Created attachment 344105 [details] Patch
EWS Watchlist
Comment 2 2018-07-02 12:13:10 PDT
Comment on attachment 344105 [details] Patch Attachment 344105 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8414330 New failing tests: http/tests/preload/onload_event.html
EWS Watchlist
Comment 3 2018-07-02 12:13:21 PDT
Created attachment 344126 [details] Archive of layout-test-results from ews204 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews204 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Carlos Garcia Campos
Comment 4 2018-07-02 23:39:01 PDT
Comment on attachment 344105 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=344105&action=review > Source/ThirdParty/xdgmime/README.webkit:24 > +Changes included from Chromium: > + > + - c432cac0a0beb77c63081536fc9d53b40e642cbf small patch that fixes potential crash in xdg_mime_get_mime_type_for_file() - use of pointer after being freed. This should be upstreamed, no?
WebKit Commit Bot
Comment 5 2018-07-03 00:06:05 PDT
Comment on attachment 344105 [details] Patch Clearing flags on attachment: 344105 Committed r233457: <https://trac.webkit.org/changeset/233457>
WebKit Commit Bot
Comment 6 2018-07-03 00:06:06 PDT
All reviewed patches have been landed. Closing bug.
Michael Catanzaro
Comment 7 2018-07-03 07:15:04 PDT
Like I said, I submitted it for upstream in https://bugs.freedesktop.org/show_bug.cgi?id=100733, but I do not expect it to be accepted. And this code is not compiled in glib's copy.
Note You need to log in before you can comment on or make changes to this bug.