WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
251420
[JSC] Crash On JSC when open dir as input file
https://bugs.webkit.org/show_bug.cgi?id=251420
Summary
[JSC] Crash On JSC when open dir as input file
hackerzheng666
Reported
2023-01-30 22:25:04 PST
This is a interestring bug. When I try to execute "./jsc /dir1/test.js", I forget to add test.js, which made it execute "./jsc /dir1" and it crashed. After reviewing the code, I found there is a check which seems not so proper. When we open a file which is dir, fseek will make it search for the end of file. But it seems that there is no EOF in dir, so it keeps finding and take the MAX value of stream as bufferCapacity, which is 0x7fffffffffffffff, it bypass the check of "fseek(file, 0, SEEK_END) == -1", and the resize of such value whill crash the jsc. ```cpp template<typename Vector> static bool fillBufferWithContentsOfFile(FILE* file, Vector& buffer) { // We might have injected "use strict"; at the top. size_t initialSize = buffer.size(); if (fseek(file, 0, SEEK_END) == -1) return false; long bufferCapacity = ftell(file); if (bufferCapacity == -1) return false; if (fseek(file, 0, SEEK_SET) == -1) return false; buffer.resize(bufferCapacity + initialSize); size_t readSize = fread(buffer.data() + initialSize, 1, buffer.size(), file); return readSize == buffer.size() - initialSize; } ``` There is another position. But I think here the check of "!result" can prevent the crash. ```cpp static RefPtr<Uint8Array> fillBufferWithContentsOfFile(FILE* file) { if (fseek(file, 0, SEEK_END) == -1) return nullptr; long bufferCapacity = ftell(file); if (bufferCapacity == -1) return nullptr; if (fseek(file, 0, SEEK_SET) == -1) return nullptr; auto result = Uint8Array::tryCreate(bufferCapacity); if (!result) return nullptr; size_t readSize = fread(result->data(), 1, bufferCapacity, file); if (readSize != static_cast<size_t>(bufferCapacity)) return nullptr; return result; } ``` Regrads, Zheng Wang
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2023-01-30 22:25:18 PST
<
rdar://problem/104853422
>
Michael Saboff
Comment 2
2024-04-02 14:39:38 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/26753
EWS
Comment 3
2024-04-03 10:17:58 PDT
Committed
277010@main
(6e20396fae8b): <
https://commits.webkit.org/277010@main
> Reviewed commits have been landed. Closing PR #26753 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug