Bug 22932 - Corrupt HTTP response cause NULL ptr
Summary: Corrupt HTTP response cause NULL ptr
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 525.x (Safari 3.2)
Hardware: PC OS X 10.5
: P2 Critical
Assignee: Nobody
Keywords: InRadar
Depends on:
Reported: 2008-12-19 06:06 PST by Berend-Jan Wever
Modified: 2008-12-19 12:48 PST (History)
1 user (show)

See Also:

Small server that can be used to repro this case (1.61 KB, application/x-zip-compressed)
2008-12-19 06:08 PST, Berend-Jan Wever
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2008-12-19 06:06:59 PST
I server replying with 'HTTP/.1 409\n:"\rB\n \n' can cause Safari to crash because of a NULL ptr Read AV.

A have a zip with a small server written in python that can be used to serve the repro. Install python, unzip the file and run:

ReproServer.py "AMD-SKYLINED-NL - Safari 525.26.13 (WebKit 525.26.2) - 0640018F - ReadAV(mov)[4]@CoreFoundation!CFCharacterSetInitInlineBuffer+0x357.asResponseLog.zuul3.pickle"

Then browser to http://localhost:28876 in Safari to see the crash.

As soon as I figure out how to upload it, I'll do so.
Comment 1 Berend-Jan Wever 2008-12-19 06:08:22 PST
Created attachment 26141 [details]
Small server that can be used to repro this case

As described in my first comment.
Comment 2 Alexey Proskuryakov 2008-12-19 12:42:00 PST
Comment 3 Alexey Proskuryakov 2008-12-19 12:48:40 PST
Closing as INVALID, as HTTP response parsing in performed by Apple closed source frameworks. Thank you for reporting this issue, it will continue to be tracked by Apple internally.

I couldn't reproduce this on Mac OS X 10.5.6. I didn't try to reproduce on Windows.