199063 – WebURLSchemeHandlerProxy::loadSynchronously crash with sync request

Bug 199063 - WebURLSchemeHandlerProxy::loadSynchronously crash with sync request

Summary: WebURLSchemeHandlerProxy::loadSynchronously crash with sync request

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	Other
Hardware:	iPhone / iPad iOS 12

Importance:	P2 Normal
Assignee:	Brady Eidson

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-06-20 01:20 PDT by Jin
Modified:	2019-06-20 16:11 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Screen Shot (269.12 KB, image/png) 2019-06-20 01:22 PDT, Jin	no flags	Details
Patch (6.14 KB, patch) 2019-06-20 14:12 PDT, Brady Eidson	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jin 2019-06-20 01:20:57 PDT

The problem code is the following:

void WebURLSchemeHandlerProxy::loadSynchronously(ResourceLoadIdentifier loadIdentifier, const ResourceRequest& request, ResourceResponse& response, ResourceError& error, Vector<char>& data)
{
    IPC::DataReference dataReference;
    if (!m_webPage.sendSync(Messages::WebPageProxy::LoadSynchronousURLSchemeTask(URLSchemeTaskParameters { m_identifier, loadIdentifier, request }), Messages::WebPageProxy::LoadSynchronousURLSchemeTask::Reply(response, error, dataReference))) {
        error = failedCustomProtocolSyncLoad(request);
        return;
    }
    
    data.resize(dataReference.size());
    memcpy(data.data(), dataReference.data(), dataReference.size());
}


The “IPC::DataReference dataReference;” just "reference" data from sendSync but not "copy" it. 
When the sendSync function pop stack, the data will be dealloc.  
So the dataReference get a  wild pointer.


Steps:

1、 Setup custom Scheme
    UCWKURLSchemeHandler *handler = [[UCWKURLSchemeHandler alloc] init];   
    [configuration setURLSchemeHandler:handler forURLScheme:@"uc"];

2、enable "Malloc Scribble"  debug Environment

3、set breakpoint at WebURLSchemeHandlerProxy::loadSynchronously  at the line  “ data.resize(dataReference.size());”

4、launch the  iOS Simultaor 

5、Send a  *Sync* XMLHttpRequest with the custom scheme

Result：
check the value of “dataReference”

You can see my Screen Shot.


This is the same result at MacOS Version

Comment 1 Jin 2019-06-20 01:22:05 PDT

Created attachment 372546 [details]
Screen Shot

Comment 2 Radar WebKit Bug Importer 2019-06-20 01:41:11 PDT

<rdar://problem/51934147>

Comment 3 Brady Eidson 2019-06-20 14:12:14 PDT

Created attachment 372582 [details]
Patch

Comment 4 Geoffrey Garen 2019-06-20 14:37:17 PDT

Comment on attachment 372582 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=372582&action=review

r=me

> Source/WebKit/WebProcess/WebPage/WebURLSchemeHandlerProxy.cpp:67
> +    data.shrink(0);

Why shrink here?

Comment 5 WebKit Commit Bot 2019-06-20 15:52:16 PDT

Comment on attachment 372582 [details]
Patch

Clearing flags on attachment: 372582

Committed r246660: <https://trac.webkit.org/changeset/246660>

Comment 6 WebKit Commit Bot 2019-06-20 15:52:18 PDT

All reviewed patches have been landed.  Closing bug.

Comment 7 Brady Eidson 2019-06-20 16:11:09 PDT

(In reply to Geoffrey Garen from comment #4)
> Comment on attachment 372582 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=372582&action=review
> 
> r=me
> 
> > Source/WebKit/WebProcess/WebPage/WebURLSchemeHandlerProxy.cpp:67
> > +    data.shrink(0);
> 
> Why shrink here?

Sorry, saw the r=me in the email but missed the question.

Agreed it's unnecessary.
"Bad™" habit sanitizing out parameters gained for early CS profs.