Title: [208753] trunk/Source/WebCore
- Revision
- 208753
- Author
- [email protected]
- Date
- 2016-11-15 14:00:23 -0800 (Tue, 15 Nov 2016)
Log Message
strncpy may leave unterminated string in WebCore::URL::init
https://bugs.webkit.org/show_bug.cgi?id=74473
<rdar://problem/10576626>
Reviewed by David Kilzer.
Reviving an old patch by David Kilzer! This should have been integrated years ago.
No new tests. No change in behavior.
* platform/URL.cpp:
(WebCore::URL::init): Make sure we always enter 'parse' with a
null-terminated string.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (208752 => 208753)
--- trunk/Source/WebCore/ChangeLog 2016-11-15 21:51:41 UTC (rev 208752)
+++ trunk/Source/WebCore/ChangeLog 2016-11-15 22:00:23 UTC (rev 208753)
@@ -1,3 +1,19 @@
+2016-11-15 Brent Fulgham <[email protected]>
+
+ strncpy may leave unterminated string in WebCore::URL::init
+ https://bugs.webkit.org/show_bug.cgi?id=74473
+ <rdar://problem/10576626>
+
+ Reviewed by David Kilzer.
+
+ Reviving an old patch by David Kilzer! This should have been integrated years ago.
+
+ No new tests. No change in behavior.
+
+ * platform/URL.cpp:
+ (WebCore::URL::init): Make sure we always enter 'parse' with a
+ null-terminated string.
+
2016-11-15 Jiewen Tan <[email protected]>
Followup patch for r208737
Modified: trunk/Source/WebCore/platform/URL.cpp (208752 => 208753)
--- trunk/Source/WebCore/platform/URL.cpp 2016-11-15 21:51:41 UTC (rev 208752)
+++ trunk/Source/WebCore/platform/URL.cpp 2016-11-15 22:00:23 UTC (rev 208753)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2007, 2008, 2011, 2012, 2013, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004, 2007-2008, 2011-2013, 2015-2016 Apple Inc. All rights reserved.
* Copyright (C) 2012 Research In Motion Limited. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -666,11 +666,13 @@
// all done with the path work, now copy any remainder
// of the relative reference; this will also add a null terminator
- strncpy(bufferPos, relStringPos, bufferSize - (bufferPos - bufferStart));
+ const size_t currentOffset = bufferPos - bufferStart;
+ auto remainingBufferSize = bufferSize - currentOffset;
+ ASSERT(currentOffset + strlen(relStringPos) + 1 <= bufferSize);
+ strncpy(bufferPos, relStringPos, remainingBufferSize);
+ bufferPos[remainingBufferSize - 1] = '\0';
parse(parseBuffer.data(), &relative);
-
- ASSERT(strlen(parseBuffer.data()) + 1 <= parseBuffer.size());
break;
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
