Bug 31138 - Uninitialized memory read in WebCore::Page::userStyleSheetLocationChanged()
Summary: Uninitialized memory read in WebCore::Page::userStyleSheetLocationChanged()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-04 12:17 PST by Dan Kegel
Modified: 2009-11-04 22:39 PST (History)
1 user (show)

See Also:


Attachments
Supply missing length argument to avoid buffer overrun (1.26 KB, patch)
2009-11-04 12:22 PST, Dan Kegel
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Kegel 2009-11-04 12:17:36 PST
Found via chromium linux layout valgrind bot on
LayoutTests/platform/mac/fast/loader/user-stylesheet-fast-path.html .
Valgrind complains

Invalid read of size 1
   at strlen (mc_replace_strmem.c:275)
   by WebCore::String::fromUTF8(char const*) (String.cpp:682)
   by WebCore::Page::userStyleSheetLocationChanged() (Page.cpp:545)
 Address 0xd60f4af is 0 bytes after a block of size 31 alloc'd
   at malloc (vg_replace_malloc.c:195)
   ...
   by WebCore::base64Decode(WTF::Vector<char, 0ul> const&, WTF::Vector<char, 0ul>&) (Base64.cpp:134)
   by WebCore::Page::userStyleSheetLocationChanged() (Page.cpp:544)

Looks like someone forgot to specify a length.  I'll attach a fix.
Comment 1 Dan Kegel 2009-11-04 12:22:48 PST
Created attachment 42510 [details]
Supply missing length argument to avoid buffer overrun

le voilà!
Comment 2 Alexey Proskuryakov 2009-11-04 15:57:34 PST
Comment on attachment 42510 [details]
Supply missing length argument to avoid buffer overrun

+        * page/Page.cpp:
+        (WebCore::Page::userStyleSheetLocationChanged):

Ideally, there should be per-function comments explaining changes.

r=me as is.
Comment 3 Eric Seidel (no email) 2009-11-04 22:14:52 PST
Comment on attachment 42510 [details]
Supply missing length argument to avoid buffer overrun

I wonder if there are other places we call from UTF8 and need fixes? Since dan's not a committer, adding this to the cq.
Comment 4 WebKit Commit Bot 2009-11-04 22:39:51 PST
Comment on attachment 42510 [details]
Supply missing length argument to avoid buffer overrun

Clearing flags on attachment: 42510

Committed r50545: <http://trac.webkit.org/changeset/50545>
Comment 5 WebKit Commit Bot 2009-11-04 22:39:55 PST
All reviewed patches have been landed.  Closing bug.