[webkit-changes] [210357] trunk/Source/WebCore

Thu, 05 Jan 2017 09:30:52 -0800

Title: [210357] trunk/Source/WebCore
Revision
210357
Author
[email protected]
Date
2017-01-05 09:30:57 -0800 (Thu, 05 Jan 2017)

Log Message

[SOUP] AddressSanitizer: heap-use-after-free under WTF::String::fromUTF8()
https://bugs.webkit.org/show_bug.cgi?id=166722

Patch by Milan Crha <[email protected]> on 2017-01-05
Reviewed by Alex Christensen.

* platform/soup/PublicSuffixSoup.cpp:
(WebCore::topPrivatelyControlledDomain):
Use a variable to hold UTF-8 version of the domain, because
the soup_tld_get_base_domain() returns a pointer into the passed-in
string, which could be freed due to the temporary object being freed.

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (210356 => 210357)


--- trunk/Source/WebCore/ChangeLog	2017-01-05 17:09:54 UTC (rev 210356)
+++ trunk/Source/WebCore/ChangeLog	2017-01-05 17:30:57 UTC (rev 210357)
@@ -1,3 +1,16 @@
+2017-01-05  Milan Crha  <[email protected]>
+
+        [SOUP] AddressSanitizer: heap-use-after-free under WTF::String::fromUTF8()
+        https://bugs.webkit.org/show_bug.cgi?id=166722
+
+        Reviewed by Alex Christensen.
+
+        * platform/soup/PublicSuffixSoup.cpp:
+        (WebCore::topPrivatelyControlledDomain):
+        Use a variable to hold UTF-8 version of the domain, because
+        the soup_tld_get_base_domain() returns a pointer into the passed-in
+        string, which could be freed due to the temporary object being freed.
+
 2017-01-05  Andreas Kling  <[email protected]>
 
         Remove some unnecessary page cache checks in render tree code.

Modified: trunk/Source/WebCore/platform/soup/PublicSuffixSoup.cpp (210356 => 210357)


--- trunk/Source/WebCore/platform/soup/PublicSuffixSoup.cpp	2017-01-05 17:09:54 UTC (rev 210356)
+++ trunk/Source/WebCore/platform/soup/PublicSuffixSoup.cpp	2017-01-05 17:30:57 UTC (rev 210357)
@@ -47,7 +47,8 @@
         return String();
 
     GUniqueOutPtr<GError> error;
-    if (const char* baseDomain = soup_tld_get_base_domain(domain.utf8().data(), &error.outPtr()))
+    CString domainUTF8 = domain.utf8();
+    if (const char* baseDomain = soup_tld_get_base_domain(domainUTF8.data(), &error.outPtr()))
         return String::fromUTF8(baseDomain);
 
     if (g_error_matches(error.get(), SOUP_TLD_ERROR, SOUP_TLD_ERROR_NO_BASE_DOMAIN) || g_error_matches(error.get(), SOUP_TLD_ERROR, SOUP_TLD_ERROR_NOT_ENOUGH_DOMAINS))

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to