Title: [225829] trunk
- Revision
- 225829
- Author
- achristen...@apple.com
- Date
- 2017-12-12 17:54:26 -0800 (Tue, 12 Dec 2017)
Log Message
Fix possible out-of-bounds read in protocolIsInHTTPFamily
https://bugs.webkit.org/show_bug.cgi?id=180688
Reviewed by Daniel Bates.
Source/WebCore:
It wouldn't read very far out of bounds, and it would just change a bool return value,
but it's still out of bounds. Covered by an API test that ASAN wouldn't like.
* platform/URL.cpp:
(WebCore::protocolIsInHTTPFamily):
Check bounds before reading a string.
Tools:
* TestWebKitAPI/Tests/WebCore/URL.cpp:
(TestWebKitAPI::TEST_F):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (225828 => 225829)
--- trunk/Source/WebCore/ChangeLog 2017-12-13 01:39:36 UTC (rev 225828)
+++ trunk/Source/WebCore/ChangeLog 2017-12-13 01:54:26 UTC (rev 225829)
@@ -1,3 +1,17 @@
+2017-12-12 Alex Christensen <achristen...@webkit.org>
+
+ Fix possible out-of-bounds read in protocolIsInHTTPFamily
+ https://bugs.webkit.org/show_bug.cgi?id=180688
+
+ Reviewed by Daniel Bates.
+
+ It wouldn't read very far out of bounds, and it would just change a bool return value,
+ but it's still out of bounds. Covered by an API test that ASAN wouldn't like.
+
+ * platform/URL.cpp:
+ (WebCore::protocolIsInHTTPFamily):
+ Check bounds before reading a string.
+
2017-12-12 Youenn Fablet <you...@apple.com>
getUserMedia is resolving before the document knows it is capturing
Modified: trunk/Source/WebCore/platform/URL.cpp (225828 => 225829)
--- trunk/Source/WebCore/platform/URL.cpp 2017-12-13 01:39:36 UTC (rev 225828)
+++ trunk/Source/WebCore/platform/URL.cpp 2017-12-13 01:54:26 UTC (rev 225829)
@@ -873,12 +873,14 @@
bool protocolIsInHTTPFamily(const String& url)
{
+ auto length = url.length();
// Do the comparison without making a new string object.
- return isASCIIAlphaCaselessEqual(url[0], 'h')
+ return length >= 5
+ && isASCIIAlphaCaselessEqual(url[0], 'h')
&& isASCIIAlphaCaselessEqual(url[1], 't')
&& isASCIIAlphaCaselessEqual(url[2], 't')
&& isASCIIAlphaCaselessEqual(url[3], 'p')
- && (url[4] == ':' || (isASCIIAlphaCaselessEqual(url[4], 's') && url[5] == ':'));
+ && (url[4] == ':' || (isASCIIAlphaCaselessEqual(url[4], 's') && length >= 6 && url[5] == ':'));
}
const URL& blankURL()
Modified: trunk/Tools/ChangeLog (225828 => 225829)
--- trunk/Tools/ChangeLog 2017-12-13 01:39:36 UTC (rev 225828)
+++ trunk/Tools/ChangeLog 2017-12-13 01:54:26 UTC (rev 225829)
@@ -1,3 +1,13 @@
+2017-12-12 Alex Christensen <achristen...@webkit.org>
+
+ Fix possible out-of-bounds read in protocolIsInHTTPFamily
+ https://bugs.webkit.org/show_bug.cgi?id=180688
+
+ Reviewed by Daniel Bates.
+
+ * TestWebKitAPI/Tests/WebCore/URL.cpp:
+ (TestWebKitAPI::TEST_F):
+
2017-12-12 JF Bastien <jfbast...@apple.com>
makeString: support more integral types
Modified: trunk/Tools/TestWebKitAPI/Tests/WebCore/URL.cpp (225828 => 225829)
--- trunk/Tools/TestWebKitAPI/Tests/WebCore/URL.cpp 2017-12-13 01:39:36 UTC (rev 225828)
+++ trunk/Tools/TestWebKitAPI/Tests/WebCore/URL.cpp 2017-12-13 01:54:26 UTC (rev 225829)
@@ -213,4 +213,22 @@
EXPECT_EQ(url.string(), url5.string());
}
+TEST_F(URLTest, ProtocolIsInHTTPFamily)
+{
+ EXPECT_FALSE(protocolIsInHTTPFamily({}));
+ EXPECT_FALSE(protocolIsInHTTPFamily(""));
+ EXPECT_FALSE(protocolIsInHTTPFamily("a"));
+ EXPECT_FALSE(protocolIsInHTTPFamily("ab"));
+ EXPECT_FALSE(protocolIsInHTTPFamily("abc"));
+ EXPECT_FALSE(protocolIsInHTTPFamily("abcd"));
+ EXPECT_FALSE(protocolIsInHTTPFamily("abcde"));
+ EXPECT_FALSE(protocolIsInHTTPFamily("abcdef"));
+ EXPECT_FALSE(protocolIsInHTTPFamily("abcdefg"));
+ EXPECT_TRUE(protocolIsInHTTPFamily("http:"));
+ EXPECT_FALSE(protocolIsInHTTPFamily("http"));
+ EXPECT_TRUE(protocolIsInHTTPFamily("https:"));
+ EXPECT_FALSE(protocolIsInHTTPFamily("https"));
+ EXPECT_TRUE(protocolIsInHTTPFamily("https://!@#$%^&*()"));
+}
+
} // namespace TestWebKitAPI
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
