RESOLVED FIXED Bug 54091
[EFL] Possible crash of ewk_frame_contents_set 
https://bugs.webkit.org/show_bug.cgi?id=54091
Summary [EFL] Possible crash of ewk_frame_contents_set
Ryuan Choi
Reported 2011-02-09 04:46:35 PST
If ewk_frame_contents_set was called with negative value as contents_size(3rd parameter), Application will be crashed like below. (I just called ewk_frame_contents_set(ewk_view_frame_main_get(app->browser), "hello", -1, NULL, NULL, NULL);) #0 0x02181151 in memcpy () from /lib/tls/i686/cmov/libc.so.6 #1 0x00a0c630 in WebCore::SharedBuffer::append(char const*, unsigned int) () from /workspace/webkit/build2/WebKit/libewebkit.so.0 #2 0x00714973 in _ewk_frame_contents_set_internal(Ewk_Frame_Smart_Data*, char const*, unsigned int, char const*, char const*, char const*, char const*) () from /workspace/webkit/build2/WebKit/libewebkit.so.0 Because contents_size is size_t, Overflow occurred. Although contents_size should be size_t, I believe that it should not be crashed. I think that there are two options. 1) remove contents_size and use strlen(contents). It will change API. 2) choose strlen(contents) if contents_size is zero or bigger than strlen(contents).
Attachments
Patch (1.42 KB, patch)
2011-02-10 16:31 PST, Ryuan Choi 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryuan Choi
Comment 1 2011-02-10 16:31:27 PST
Created attachment 82070 [details] Patch
WebKit Commit Bot
Comment 2 2011-02-17 08:25:15 PST
Comment on attachment 82070 [details] Patch Clearing flags on attachment: 82070 Committed r78833: <http://trac.webkit.org/changeset/78833>
WebKit Commit Bot
Comment 3 2011-02-17 08:25:19 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.