WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
201102
Make CacheStorageEngineCaches's decodeCachesNames() more robust against bad input data
https://bugs.webkit.org/show_bug.cgi?id=201102
Summary
Make CacheStorageEngineCaches's decodeCachesNames() more robust against bad i...
Chris Dumez
Reported
2019-08-23 16:27:11 PDT
Make CacheStorageEngineCaches's decodeCachesNames() more robust against bad input data: Thread[0] EXC_BREAKPOINT (SIGTRAP) (0x0000000000000001, 0x00000001b854ab74) ok [ 0] 0x00000001b854ab74 WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Caches::readCachesFromDisk(WTF::Function<void (std::experimental::fundamentals_v3::expected<WTF::Vector<WebKit::CacheStorage::Cache, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::DOMCacheEngine::Error>&&)>&&)::$_54, void, WebKit::NetworkCache::Data const&, int>::call(WebKit::NetworkCache::Data const&, int) [inlined] WTF::VectorBufferBase<std::__1::pair<WTF::String, WTF::String> >::allocateBuffer(unsigned long) at Vector.h:290:13 0x00000001b854ab64: ldrb w8, [sp, #0x10] 0x00000001b854ab68: cbz w8, 0x144984 ; <+672> [inlined] std::experimental::fundamentals_v3::unexpected<WebCore::DOMCacheEngine::Error>::unexpected<WebCore::DOMCacheEngine::Error&>(WebCore::DOMCacheEngine::Error&) at Unexpected.h:79 0x00000001b854ab6c: bl 0x2acb0 ; std::experimental::fundamentals_v3::__expected_detail::__expected_terminate at Expected.h:231 0x00000001b854ab70: bl 0x54fe94 ; symbol stub for: __stack_chk_fail -> 0x00000001b854ab74: brk #0 0x00000001b854ab78: brk #0x1 0x00000001b854ab7c: brk #0 0x00000001b854ab80: brk #0x1 [ 0] 0x00000001b854ab74 WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Caches::readCachesFromDisk(WTF::Function<void (std::experimental::fundamentals_v3::expected<WTF::Vector<WebKit::CacheStorage::Cache, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::DOMCacheEngine::Error>&&)>&&)::$_54, void, WebKit::NetworkCache::Data const&, int>::call(WebKit::NetworkCache::Data const&, int) [inlined] WTF::Vector<std::__1::pair<WTF::String, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul>::reserveInitialCapacity(unsigned long) at Vector.h:1222 [ 0] 0x00000001b854ab74 WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Caches::readCachesFromDisk(WTF::Function<void (std::experimental::fundamentals_v3::expected<WTF::Vector<WebKit::CacheStorage::Cache, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::DOMCacheEngine::Error>&&)>&&)::$_54, void, WebKit::NetworkCache::Data const&, int>::call(WebKit::NetworkCache::Data const&, int) [inlined] WebKit::CacheStorage::decodeCachesNames(WebKit::NetworkCache::Data const&) at CacheStorageEngineCaches.cpp:414 410 if (!decoder.decode(count)) 411 return makeUnexpected(Error::ReadDisk); 412 413 Vector<std::pair<String, String>> names; -> 414 names.reserveInitialCapacity(count); 415 for (size_t index = 0; index < count; ++index) { 416 String name; 417 if (!decoder.decode(name)) 418 return makeUnexpected(Error::ReadDisk); [ 0] 0x00000001b854ab74 WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Caches::readCachesFromDisk(WTF::Function<void (std::experimental::fundamentals_v3::expected<WTF::Vector<WebKit::CacheStorage::Cache, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::DOMCacheEngine::Error>&&)>&&)::$_54, void, WebKit::NetworkCache::Data const&, int>::call(WebKit::NetworkCache::Data const&, int) [inlined] WebKit::CacheStorage::Caches::readCachesFromDisk(WTF::Function<void (std::experimental::fundamentals_v3::expected<WTF::Vector<WebKit::CacheStorage::Cache, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::DOMCacheEngine::Error>&&)>&&)::$_54::operator()(WebKit::NetworkCache::Data const&, int) + 896 at CacheStorageEngineCaches.cpp:457 453 callback(makeUnexpected(Error::ReadDisk)); 454 return; 455 } 456 -> 457 auto result = decodeCachesNames(data); 458 if (!result.has_value()) { 459 RELEASE_LOG_ERROR(CacheStorage, "Caches::decodeCachesNames failed decoding caches with error %d", static_cast<int>(result.error())); 460 callback(makeUnexpected(result.error())); 461 return; [ 0] 0x00000001b854a7f4 WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Caches::readCachesFromDisk(WTF::Function<void (std::experimental::fundamentals_v3::expected<WTF::Vector<WebKit::CacheStorage::Cache, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::DOMCacheEngine::Error>&&)>&&)::$_54, void, WebKit::NetworkCache::Data const&, int>::call(WebKit::NetworkCache::Data const&, int) + 272 at Function.h:52 [ 1] 0x00000001b854a817 WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Caches::readCachesFromDisk(WTF::Function<void (std::experimental::fundamentals_v3::expected<WTF::Vector<WebKit::CacheStorage::Cache, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::DOMCacheEngine::Error>&&)>&&)::$_54, void, WebKit::NetworkCache::Data const&, int>::call(WebKit::NetworkCache::Data const&, int) [inlined] WebKit::CacheStorage::decodeCachesNames(WebKit::NetworkCache::Data const&) + 35 at CacheStorageEngineCaches.cpp:410:18 [ 1] 0x00000001b854a7f4 WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Caches::readCachesFromDisk(WTF::Function<void (std::experimental::fundamentals_v3::expected<WTF::Vector<WebKit::CacheStorage::Cache, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::DOMCacheEngine::Error>&&)>&&)::$_54, void, WebKit::NetworkCache::Data const&, int>::call(WebKit::NetworkCache::Data const&, int) [inlined] WebKit::CacheStorage::Caches::readCachesFromDisk(WTF::Function<void (std::experimental::fundamentals_v3::expected<WTF::Vector<WebKit::CacheStorage::Cache, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::DOMCacheEngine::Error>&&)>&&)::$_54::operator()(WebKit::NetworkCache::Data const&, int) at CacheStorageEngineCaches.cpp:457 [ 1] 0x00000001b854a7f4 WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Caches::readCachesFromDisk(WTF::Function<void (std::experimental::fundamentals_v3::expected<WTF::Vector<WebKit::CacheStorage::Cache, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::DOMCacheEngine::Error>&&)>&&)::$_54, void, WebKit::NetworkCache::Data const&, int>::call(WebKit::NetworkCache::Data const&, int) + 272 at Function.h:52 [ 2] 0x00000001b8542bab WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Engine::readFile(WTF::String const&, WTF::CompletionHandler<void (WebKit::NetworkCache::Data const&, int)>&&)::$_25::operator()()::'lambda'(WebKit::NetworkCache::Data const&, int), void, WebKit::NetworkCache::Data&, int>::call(WebKit::NetworkCache::Data&, int) [inlined] WTF::Function<void (WebKit::NetworkCache::Data const&, int)>::operator()(WebKit::NetworkCache::Data const&, int) const + 23 at Function.h:79:35 [ 2] 0x00000001b8542b94 WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Engine::readFile(WTF::String const&, WTF::CompletionHandler<void (WebKit::NetworkCache::Data const&, int)>&&)::$_25::operator()()::'lambda'(WebKit::NetworkCache::Data const&, int), void, WebKit::NetworkCache::Data&, int>::call(WebKit::NetworkCache::Data&, int) [inlined] WTF::CompletionHandler<void (WebKit::NetworkCache::Data const&, int)>::operator()(WebKit::NetworkCache::Data const&, int) + 8 at CompletionHandler.h:64 [ 2] 0x00000001b8542b8c WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Engine::readFile(WTF::String const&, WTF::CompletionHandler<void (WebKit::NetworkCache::Data const&, int)>&&)::$_25::operator()()::'lambda'(WebKit::NetworkCache::Data const&, int), void, WebKit::NetworkCache::Data&, int>::call(WebKit::NetworkCache::Data&, int) [inlined] WebKit::CacheStorage::Engine::readFile(WTF::String const&, WTF::CompletionHandler<void (WebKit::NetworkCache::Data const&, int)>&&)::$_25::operator()()::'lambda'(WebKit::NetworkCache::Data const&, int)::operator()(WebKit::NetworkCache::Data const&, int) + 64 at CacheStorageEngine.cpp:445 [ 2] 0x00000001b8542b4c WebKit`WTF::Detail::CallableWrapper<WebKit::CacheStorage::Engine::readFile(WTF::String const&, WTF::CompletionHandler<void (WebKit::NetworkCache::Data const&, int)>&&)::$_25::operator()()::'lambda'(WebKit::NetworkCache::Data const&, int), void, WebKit::NetworkCache::Data&, int>::call(WebKit::NetworkCache::Data&, int) + 40 at Function.h:52 [ 3] 0x00000001b849a73b WebKit`WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)> WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)>::fromCallable<WebKit::NetworkCache::IOChannel::read(unsigned long, unsigned long, WTF::WorkQueue*, WTF::Function<void (WebKit::NetworkCache::Data&, int)>&&)::$_5>(WebKit::NetworkCache::IOChannel::read(unsigned long, unsigned long, WTF::WorkQueue*, WTF::Function<void (WebKit::NetworkCache::Data&, int)>&&)::$_5)::'lambda'(void*, bool, NSObject<OS_dispatch_data>*, int)::__invoke(void*, bool, NSObject<OS_dispatch_data>*, int) [inlined] WTF::Function<void (WebKit::NetworkCache::Data&, int)>::operator()(WebKit::NetworkCache::Data&, int) const + 23 at Function.h:79:35 [ 3] 0x00000001b849a724 WebKit`WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)> WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)>::fromCallable<WebKit::NetworkCache::IOChannel::read(unsigned long, unsigned long, WTF::WorkQueue*, WTF::Function<void (WebKit::NetworkCache::Data&, int)>&&)::$_5>(WebKit::NetworkCache::IOChannel::read(unsigned long, unsigned long, WTF::WorkQueue*, WTF::Function<void (WebKit::NetworkCache::Data&, int)>&&)::$_5)::'lambda'(void*, bool, NSObject<OS_dispatch_data>*, int)::__invoke(void*, bool, NSObject<OS_dispatch_data>*, int) [inlined] WebKit::NetworkCache::IOChannel::read(unsigned long, unsigned long, WTF::WorkQueue*, WTF::Function<void (WebKit::NetworkCache::Data&, int)>&&)::$_5::operator()(bool, NSObject<OS_dispatch_data>*, int) + 72 at NetworkCacheIOChannelCocoa.mm:100 [ 3] 0x00000001b849a6dc WebKit`WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)> WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)>::fromCallable<WebKit::NetworkCache::IOChannel::read(unsigned long, unsigned long, WTF::WorkQueue*, WTF::Function<void (WebKit::NetworkCache::Data&, int)>&&)::$_5>(WebKit::NetworkCache::IOChannel::read(unsigned long, unsigned long, WTF::WorkQueue*, WTF::Function<void (WebKit::NetworkCache::Data&, int)>&&)::$_5)::'lambda'(void*, bool, NSObject<OS_dispatch_data>*, int)::__invoke(void*, bool, NSObject<OS_dispatch_data>*, int) [inlined] WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)> WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)>::fromCallable<WebKit::NetworkCache::IOChannel::read(unsigned long, unsigned long, WTF::WorkQueue*, WTF::Function<void (WebKit::NetworkCache::Data&, int)>&&)::$_5>(WebKit::NetworkCache::IOChannel::read(unsigned long, unsigned long, WTF::WorkQueue*, WTF::Function<void (WebKit::NetworkCache::Data&, int)>&&)::$_5)::'lambda'(void*, bool, NSObject<OS_dispatch_data>*, int)::operator()(void*, bool, NSObject<OS_dispatch_data>*, int) const at BlockPtr.h:99 [ 3] 0x00000001b849a6dc WebKit`WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)> WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)>::fromCallable<WebKit::NetworkCache::IOChannel::read(unsigned long, unsigned long, WTF::WorkQueue*, WTF::Function<void (WebKit::NetworkCache::Data&, int)>&&)::$_5>(WebKit::NetworkCache::IOChannel::read(unsigned long, unsigned long, WTF::WorkQueue*, WTF::Function<void (WebKit::NetworkCache::Data&, int)>&&)::$_5)::'lambda'(void*, bool, NSObject<OS_dispatch_data>*, int)::__invoke(void*, bool, NSObject<OS_dispatch_data>*, int) + 20 at BlockPtr.h:98 ok [ 4] 0x00000001b0c4fe37 libdispatch.dylib`___dispatch_operation_deliver_data_block_invoke + 135 at io.c:2547:3 [ 5] 0x00000001b0c7f657 libdispatch.dylib`_dispatch_call_block_and_release + 23 at init.c:1408:2 [ 6] 0x00000001b0c801cb libdispatch.dylib`_dispatch_client_callout + 15 at object.m:495:10 [ 7] 0x00000001b0c2c523 libdispatch.dylib`_dispatch_lane_serial_drain$VARIANT$mp [inlined] _dispatch_continuation_invoke_inline + 299 at inline_internal.h:2487:2 [ 7] 0x00000001b0c2c3f8 libdispatch.dylib`_dispatch_lane_serial_drain$VARIANT$mp [inlined] _dispatch_continuation_pop_inline + 60 at inline_internal.h:2530 [ 7] 0x00000001b0c2c3bc libdispatch.dylib`_dispatch_lane_serial_drain$VARIANT$mp [inlined] _dispatch_lane_drain + 216 at queue.c:3693 [ 7] 0x00000001b0c2c2e4 libdispatch.dylib`_dispatch_lane_serial_drain$VARIANT$mp + 32 at queue.c:3738 [ 8] 0x00000001b0c2cf47 libdispatch.dylib`_dispatch_lane_invoke$VARIANT$mp [inlined] _dispatch_lane_invoke2 + 43 at queue.c:3820:10 [ 8] 0x00000001b0c2cf1c libdispatch.dylib`_dispatch_lane_invoke$VARIANT$mp [inlined] _dispatch_queue_class_invoke + 384 at inline_internal.h:1854 [ 8] 0x00000001b0c2cd9c libdispatch.dylib`_dispatch_lane_invoke$VARIANT$mp + 40 at queue.c:3830 [ 9] 0x00000001b0c32173 libdispatch.dylib`_dispatch_main_queue_callback_4CF$VARIANT$mp [inlined] _dispatch_continuation_pop_inline + 51 at inline_internal.h:2528:3 [ 9] 0x00000001b0c32140 libdispatch.dylib`_dispatch_main_queue_callback_4CF$VARIANT$mp [inlined] _dispatch_main_queue_drain + 648 at queue.c:7189 [ 9] 0x00000001b0c31eb8 libdispatch.dylib`_dispatch_main_queue_callback_4CF$VARIANT$mp + 60 at queue.c:7351 We're hitting this: if (newCapacity > std::numeric_limits<unsigned>::max() / sizeof(T)) CRASH(); under VectorBufferBase::allocateBuffer().
Attachments
Patch
(1.89 KB, patch)
2019-08-23 16:29 PDT
,
Chris Dumez
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Chris Dumez
Comment 1
2019-08-23 16:29:40 PDT
Created
attachment 377177
[details]
Patch
Radar WebKit Bug Importer
Comment 2
2019-08-23 16:30:03 PDT
<
rdar://problem/54659562
>
WebKit Commit Bot
Comment 3
2019-08-24 09:02:58 PDT
Comment on
attachment 377177
[details]
Patch Clearing flags on attachment: 377177 Committed
r249087
: <
https://trac.webkit.org/changeset/249087
>
WebKit Commit Bot
Comment 4
2019-08-24 09:03:00 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug