Title: [206126] trunk
Revision
206126
Author
achristen...@apple.com
Date
2016-09-19 16:05:11 -0700 (Mon, 19 Sep 2016)

Log Message

URLParser can read memory out of bounds
https://bugs.webkit.org/show_bug.cgi?id=162206

Reviewed by Geoff Garen.

Source/WebCore:

Covered by new API tests.
URLParser is disabled by default still.

* platform/URLParser.cpp:
(WebCore::parseIPv4Host):
If there are fewer than two numbers in an ipv4 address, we would subtract two from the Vector's size, 
causing us to read memory up to std::numeric_limits<size_t>::max() - 2.  Added a bounds check and many tests.

Tools:

* TestWebKitAPI/Tests/WebCore/URLParser.cpp:
(TestWebKitAPI::TEST_F):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (206125 => 206126)


--- trunk/Source/WebCore/ChangeLog	2016-09-19 23:03:02 UTC (rev 206125)
+++ trunk/Source/WebCore/ChangeLog	2016-09-19 23:05:11 UTC (rev 206126)
@@ -1,5 +1,20 @@
 2016-09-19  Alex Christensen  <achristen...@webkit.org>
 
+        URLParser can read memory out of bounds
+        https://bugs.webkit.org/show_bug.cgi?id=162206
+
+        Reviewed by Geoff Garen.
+
+        Covered by new API tests.
+        URLParser is disabled by default still.
+
+        * platform/URLParser.cpp:
+        (WebCore::parseIPv4Host):
+        If there are fewer than two numbers in an ipv4 address, we would subtract two from the Vector's size, 
+        causing us to read memory up to std::numeric_limits<size_t>::max() - 2.  Added a bounds check and many tests.
+
+2016-09-19  Alex Christensen  <achristen...@webkit.org>
+
         URLParser should parse serialized valid URLs faster than unknown input
         https://bugs.webkit.org/show_bug.cgi?id=162228
 

Modified: trunk/Source/WebCore/platform/URLParser.cpp (206125 => 206126)


--- trunk/Source/WebCore/platform/URLParser.cpp	2016-09-19 23:03:02 UTC (rev 206125)
+++ trunk/Source/WebCore/platform/URLParser.cpp	2016-09-19 23:05:11 UTC (rev 206126)
@@ -1769,9 +1769,11 @@
     }
     if (!items.size() || items.size() > 4)
         return Nullopt;
-    for (size_t i = 0; i < items.size() - 2; i++) {
-        if (items[i] > 255)
-            return Nullopt;
+    if (items.size() > 2) {
+        for (size_t i = 0; i < items.size() - 2; i++) {
+            if (items[i] > 255)
+                return Nullopt;
+        }
     }
     if (items[items.size() - 1] >= pow256(5 - items.size()))
         return Nullopt;

Modified: trunk/Tools/ChangeLog (206125 => 206126)


--- trunk/Tools/ChangeLog	2016-09-19 23:03:02 UTC (rev 206125)
+++ trunk/Tools/ChangeLog	2016-09-19 23:05:11 UTC (rev 206126)
@@ -1,3 +1,13 @@
+2016-09-19  Alex Christensen  <achristen...@webkit.org>
+
+        URLParser can read memory out of bounds
+        https://bugs.webkit.org/show_bug.cgi?id=162206
+
+        Reviewed by Geoff Garen.
+
+        * TestWebKitAPI/Tests/WebCore/URLParser.cpp:
+        (TestWebKitAPI::TEST_F):
+
 2016-09-19  Daniel Bates  <daba...@apple.com>
 
         Remove ENABLE(TEXT_AUTOSIZING) automatic text size adjustment code

Modified: trunk/Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp (206125 => 206126)


--- trunk/Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp	2016-09-19 23:03:02 UTC (rev 206125)
+++ trunk/Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp	2016-09-19 23:05:11 UTC (rev 206126)
@@ -207,6 +207,9 @@
     checkURL("notspecial:/a", {"notspecial", "", "", "", 0, "/a", "", "", "notspecial:/a"});
     checkURL("notspecial:", {"notspecial", "", "", "", 0, "", "", "", "notspecial:"});
     checkURL("http:/a", {"http", "", "", "a", 0, "/", "", "", "http://a/"});
+    checkURL("http://256/", {"http", "", "", "256", 0, "/", "", "", "http://256/"});
+    checkURL("http://256./", {"http", "", "", "256.", 0, "/", "", "", "http://256./"});
+    checkURL("http://123.256/", {"http", "", "", "123.256", 0, "/", "", "", "http://123.256/"});
     // FIXME: Fix and add a test with an invalid surrogate pair at the end with a space as the second code unit.
 
     // This disagrees with the web platform test for http://:@www.example.com but agrees with Chrome and URL::parse,
@@ -508,6 +511,21 @@
     checkRelativeURLDifferences("http://`{}:`{}@h/`{}?`{}", "http://doesnotmatter/",
         {"http", "`{}", "`{}", "h", 0, "/%60%7B%7D", "`{}", "", "http://%60%7B%7D:%60%7B%7D@h/%60%7B%7D?`{}"},
         {"", "", "", "", 0, "", "", "", "http://`{}:`{}@h/`{}?`{}"});
+    checkURLDifferences("http://[0:f::f::f]",
+        {"", "", "", "", 0, "" , "", "", "http://[0:f::f::f]"},
+        {"http", "", "", "[0:f::f::f]", 0, "/" , "", "", "http://[0:f::f::f]/"});
+    checkURLDifferences("http://123",
+        {"http", "", "", "0.0.0.123", 0, "/", "", "", "http://0.0.0.123/"},
+        {"http", "", "", "123", 0, "/", "", "", "http://123/"});
+    checkURLDifferences("http://123.234/",
+        {"http", "", "", "123.0.0.234", 0, "/", "", "", "http://123.0.0.234/"},
+        {"http", "", "", "123.234", 0, "/", "", "", "http://123.234/"});
+    checkURLDifferences("http://123.234.012",
+        {"http", "", "", "123.234.0.10", 0, "/", "", "", "http://123.234.0.10/"},
+        {"http", "", "", "123.234.012", 0, "/", "", "", "http://123.234.012/"});
+    checkURLDifferences("http://123.234.12",
+        {"http", "", "", "123.234.0.12", 0, "/", "", "", "http://123.234.0.12/"},
+        {"http", "", "", "123.234.12", 0, "/", "", "", "http://123.234.12/"});
 }
 
 TEST_F(URLParserTest, DefaultPort)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to