[webkit-changes] [266140] trunk/Source/WebCore

[achristensen]

Title: [266140] trunk/Source/WebCore

Revision

266140

Author

achristen...@apple.com

Date

2020-08-25 12:09:16 -0700 (Tue, 25 Aug 2020)

Log Message

Fix read-after-free introduced in r266087
https://bugs.webkit.org/show_bug.cgi?id=215671

* Modules/fetch/FetchBodyConsumer.cpp:
(WebCore::packageFormData):
Keep the CString in scope while we are using it.

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (266139 => 266140)

--- trunk/Source/WebCore/ChangeLog	2020-08-25 19:04:30 UTC (rev 266139)
+++ trunk/Source/WebCore/ChangeLog	2020-08-25 19:09:16 UTC (rev 266140)
@@ -1,3 +1,12 @@
+2020-08-25  Alex Christensen  <achristen...@webkit.org>
+
+        Fix read-after-free introduced in r266087
+        https://bugs.webkit.org/show_bug.cgi?id=215671
+
+        * Modules/fetch/FetchBodyConsumer.cpp:
+        (WebCore::packageFormData):
+        Keep the CString in scope while we are using it.
+
 2020-08-25  Andres Gonzalez  <andresg...@apple.com>
 
         Crash in WebCore::AccessibilityRenderObject::textUnderElement in isolated tree mode.

Modified: trunk/Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp (266139 => 266140)

--- trunk/Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp	2020-08-25 19:04:30 UTC (rev 266139)
+++ trunk/Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp	2020-08-25 19:09:16 UTC (rev 266140)
@@ -187,19 +187,19 @@
     auto mimeType = parseMIMEType(contentType);
     if (auto multipartBoundary = parseMultipartBoundary(mimeType)) {
         String boundaryWithDashes = makeString("--", *multipartBoundary);
-        const char* boundary = boundaryWithDashes.utf8().data();
-        size_t boundaryLength = strlen(boundary);
+        CString boundary = boundaryWithDashes.utf8();
+        size_t boundaryLength = boundary.length();
 
-        const char* currentBoundary = static_cast<const char*>(memmem(data, length, boundary, boundaryLength));
+        const char* currentBoundary = static_cast<const char*>(memmem(data, length, boundary.data(), boundaryLength));
         if (!currentBoundary)
             return nullptr;
-        const char* nextBoundary = static_cast<const char*>(memmem(currentBoundary + boundaryLength, length - (currentBoundary + boundaryLength - data), boundary, boundaryLength));
+        const char* nextBoundary = static_cast<const char*>(memmem(currentBoundary + boundaryLength, length - (currentBoundary + boundaryLength - data), boundary.data(), boundaryLength));
         if (!nextBoundary)
             return nullptr;
         while (nextBoundary) {
             parseMultipartPart(currentBoundary + boundaryLength, nextBoundary - currentBoundary - boundaryLength - strlen("\r\n"), form.get());
             currentBoundary = nextBoundary;
-            nextBoundary = static_cast<const char*>(memmem(nextBoundary + boundaryLength, length - (nextBoundary + boundaryLength - data), boundary, boundaryLength));
+            nextBoundary = static_cast<const char*>(memmem(nextBoundary + boundaryLength, length - (nextBoundary + boundaryLength - data), boundary.data(), boundaryLength));
         }
     } else if (mimeType && equalIgnoringASCIICase(mimeType->type, "application") && equalIgnoringASCIICase(mimeType->subtype, "x-www-form-urlencoded")) {
         auto dataString = String::fromUTF8(data, length);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes