Bug 215976 - [GTK] REGRESSION(r150392) insufficient space allocation results in heap corruption
Summary: [GTK] REGRESSION(r150392) insufficient space allocation results in heap corru...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-29 02:17 PDT by Jim Mason
Modified: 2020-08-30 02:40 PDT (History)
6 users (show)

See Also:


Attachments
Patch (1.30 KB, patch)
2020-08-29 02:18 PDT, Jim Mason
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jim Mason 2020-08-29 02:17:37 PDT
The change introduced by the patch for 150392 fails to allocate enough space for the new RunLoopSource struct in the TimerBase ctor, resulting in a segmentation fault due to heap corruption:

    (gdb) bt
    #0  0x00007ffaa94e30d1 in _malloc_unlocked () at /lib/64/libc.so.1
    #1  0x00007ffaa94e2f14 in malloc () at /lib/64/libc.so.1
    #2  0x00007ffaa94caaef in calloc () at /lib/64/libc.so.1
    #3  0x00007ffaa8f90189 in g_malloc0 () at /usr/lib/64/libglib-2.0.so.0
    #4  0x00007ffaa8f864fb in g_source_new () at /usr/lib/64/libglib-2.0.so.0
    #5  0x00007ffa9edcc6f4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&) ()
Comment 1 Jim Mason 2020-08-29 02:18:44 PDT
Created attachment 407537 [details]
Patch
Comment 2 Carlos Garcia Campos 2020-08-30 02:24:22 PDT
Comment on attachment 407537 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407537&action=review

Thanks!

> Source/WTF/wtf/glib/RunLoopGLib.cpp:162
> -    , m_source(adoptGRef(g_source_new(&RunLoop::s_runLoopSourceFunctions, sizeof(GSource))))
> +    , m_source(adoptGRef(g_source_new(&RunLoop::s_runLoopSourceFunctions, sizeof(RunLoopSource))))

Oops, I forgot this one.
Comment 3 EWS 2020-08-30 02:40:47 PDT
Committed r266331: <https://trac.webkit.org/changeset/266331>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 407537 [details].