RESOLVED FIXED31138
Uninitialized memory read in WebCore::Page::userStyleSheetLocationChanged() 
https://bugs.webkit.org/show_bug.cgi?id=31138
Summary Uninitialized memory read in WebCore::Page::userStyleSheetLocationChanged()
Dan Kegel
Reported 2009-11-04 12:17:36 PST
Found via chromium linux layout valgrind bot on LayoutTests/platform/mac/fast/loader/user-stylesheet-fast-path.html . Valgrind complains Invalid read of size 1 at strlen (mc_replace_strmem.c:275) by WebCore::String::fromUTF8(char const*) (String.cpp:682) by WebCore::Page::userStyleSheetLocationChanged() (Page.cpp:545) Address 0xd60f4af is 0 bytes after a block of size 31 alloc'd at malloc (vg_replace_malloc.c:195) ... by WebCore::base64Decode(WTF::Vector<char, 0ul> const&, WTF::Vector<char, 0ul>&) (Base64.cpp:134) by WebCore::Page::userStyleSheetLocationChanged() (Page.cpp:544) Looks like someone forgot to specify a length. I'll attach a fix.
Attachments
Supply missing length argument to avoid buffer overrun (1.26 KB, patch)
2009-11-04 12:22 PST, Dan Kegel 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Dan Kegel
Comment 1 2009-11-04 12:22:48 PST
Created attachment 42510 [details] Supply missing length argument to avoid buffer overrun le voilà!
Alexey Proskuryakov
Comment 2 2009-11-04 15:57:34 PST
Comment on attachment 42510 [details] Supply missing length argument to avoid buffer overrun + * page/Page.cpp: + (WebCore::Page::userStyleSheetLocationChanged): Ideally, there should be per-function comments explaining changes. r=me as is.
Eric Seidel (no email)
Comment 3 2009-11-04 22:14:52 PST
Comment on attachment 42510 [details] Supply missing length argument to avoid buffer overrun I wonder if there are other places we call from UTF8 and need fixes? Since dan's not a committer, adding this to the cq.
WebKit Commit Bot
Comment 4 2009-11-04 22:39:51 PST
Comment on attachment 42510 [details] Supply missing length argument to avoid buffer overrun Clearing flags on attachment: 42510 Committed r50545: <http://trac.webkit.org/changeset/50545>
WebKit Commit Bot
Comment 5 2009-11-04 22:39:55 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.