RESOLVED FIXED85394
Web Inspector: crash in InspectorResourceAgent::didReceiveWebSocketFrame 
https://bugs.webkit.org/show_bug.cgi?id=85394
Summary Web Inspector: crash in InspectorResourceAgent::didReceiveWebSocketFrame
Marshall Greenblatt
Reported 2012-05-02 11:22:42 PDT
WebKit revision 115687. Chromium revision 134688 The frame.payload value passed to InspectorResourceAgent::didReceiveWebSocketFrame is not nul-terminated. didReceiveWebSocketFrame calls payload.substring(0, frame.payloadLength) which also returns a non-nul-terminated string. The non-nul-terminated string is then passed to StringImpl::create which calls strlen() resulting a buffer overrun. Stack trace: libcef.dll!strlen(unsigned char * buf) Line 81 Asm libcef.dll!WTF::StringImpl::create(const unsigned char * string) Line 186 + 0x9 bytes C++ libcef.dll!WTF::String::String(const char * characters) Line 84 + 0x3a bytes C++ > libcef.dll!WebCore::InspectorResourceAgent::didReceiveWebSocketFrame(unsigned long identifier, const WebCore::WebSocketFrame & frame) Line 465 C++ libcef.dll!WebCore::InspectorInstrumentation::didReceiveWebSocketFrameImpl(WebCore::InstrumentingAgents * instrumentingAgents, unsigned long identifier, const WebCore::WebSocketFrame & frame) Line 995 C++ libcef.dll!WebCore::InspectorInstrumentation::didReceiveWebSocketFrame(WebCore::Document * document, unsigned long identifier, const WebCore::WebSocketFrame & frame) Line 1238 + 0x11 bytes C++ libcef.dll!WebCore::WebSocketChannel::processFrame() Line 603 + 0x1a bytes C++ libcef.dll!WebCore::WebSocketChannel::processBuffer() Line 489 + 0x8 bytes C++ libcef.dll!WebCore::WebSocketChannel::didReceiveSocketStreamData(WebCore::SocketStreamHandle * handle, const char * data, int len) Line 330 + 0x8 bytes C++ libcef.dll!WebCore::SocketStreamHandleInternal::didReceiveData(WebKit::WebSocketStreamHandle * socketHandle, const WebKit::WebData & data) Line 134 + 0x34 bytes C++ libcef.dll!webkit_glue::WebSocketStreamHandleImpl::Context::DidReceiveData(WebKit::WebSocketStreamHandle * web_handle, const char * data, int size) Line 129 + 0x4b bytes C++ libcef.dll!IPCWebSocketStreamHandleBridge::OnReceivedData(const std::vector<char,std::allocator<char> > & data) Line 127 + 0x32 bytes C++ libcef.dll!SocketStreamDispatcher::OnReceivedData(int socket_id, const std::vector<char,std::allocator<char> > & data) Line 222 C++ libcef.dll!DispatchToMethod<SocketStreamDispatcher,void (__thiscall SocketStreamDispatcher::*)(int,std::vector<char,std::allocator<char> > const &),int,std::vector<char,std::allocator<char> > >(SocketStreamDispatcher * obj, void (int, const std::vector<char,std::allocator<char> > &)* method, const Tuple2<int,std::vector<char,std::allocator<char> > > & arg) Line 554 + 0x15 bytes C++ libcef.dll!SocketStreamMsg_ReceivedData::Dispatch<SocketStreamDispatcher,SocketStreamDispatcher,void (__thiscall SocketStreamDispatcher::*)(int,std::vector<char,std::allocator<char> > const &)>(const IPC::Message * msg, SocketStreamDispatcher * obj, SocketStreamDispatcher * sender, void (int, const std::vector<char,std::allocator<char> > &)* func) Line 65 + 0x56 bytes C++ libcef.dll!SocketStreamDispatcher::OnMessageReceived(const IPC::Message & msg) Line 188 + 0x3c bytes C++ libcef.dll!ChildThread::OnMessageReceived(const IPC::Message & msg) Line 176 + 0x2d bytes C++ libcef.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message) Line 247 + 0x19 bytes C++ libcef.dll!base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>::Run(IPC::ChannelProxy::Context * object, const IPC::Message & a1) Line 188 + 0x21 bytes C++ libcef.dll!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context * const &,IPC::Message const &)>::MakeItSo(base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)> runnable, IPC::ChannelProxy::Context * const & a1, const IPC::Message & a2) Line 897 C++ libcef.dll!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &),void __cdecl(IPC::ChannelProxy::Context *,IPC::Message)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &)>::Run(base::internal::BindStateBase * base) Line 1254 + 0x2a bytes C++ libcef.dll!base::Callback<void __cdecl(void)>::Run() Line 272 + 0xe bytes C++ libcef.dll!MessageLoop::RunTask(const base::PendingTask & pending_task) Line 464 C++ libcef.dll!MessageLoop::DeferOrRunPendingTask(const base::PendingTask & pending_task) Line 477 C++ libcef.dll!MessageLoop::DoWork() Line 651 + 0xc bytes C++ libcef.dll!base::MessagePumpForUI::DoRunLoop() Line 224 + 0x1d bytes C++ libcef.dll!base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate * delegate, base::MessagePumpDispatcher * dispatcher) Line 60 + 0xf bytes C++ libcef.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 48 + 0x1c bytes C++ libcef.dll!MessageLoop::RunInternal() Line 421 + 0x29 bytes C++ libcef.dll!MessageLoop::RunHandler() Line 395 C++ libcef.dll!MessageLoop::Run() Line 301 C++ libcef.dll!base::Thread::Run(MessageLoop * message_loop) Line 129 C++ libcef.dll!base::Thread::ThreadMain() Line 163 + 0x16 bytes C++ libcef.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 58 + 0xf bytes C++
Attachments
Patch (2.57 KB, patch)
2012-05-03 05:27 PDT, Yury Semikhatsky 		pfeldman: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yury Semikhatsky
Comment 1 2012-05-03 05:27:12 PDT
Created attachment 139987 [details] Patch
Yury Semikhatsky
Comment 2 2012-05-03 05:34:46 PDT
Committed r115964: <http://trac.webkit.org/changeset/115964>
Note You need to log in before you can comment on or make changes to this bug.