Modified: trunk/Source/WebCore/ChangeLog (266139 => 266140)
--- trunk/Source/WebCore/ChangeLog 2020-08-25 19:04:30 UTC (rev 266139)
+++ trunk/Source/WebCore/ChangeLog 2020-08-25 19:09:16 UTC (rev 266140)
@@ -1,3 +1,12 @@
+2020-08-25 Alex Christensen <[email protected]>
+
+ Fix read-after-free introduced in r266087
+ https://bugs.webkit.org/show_bug.cgi?id=215671
+
+ * Modules/fetch/FetchBodyConsumer.cpp:
+ (WebCore::packageFormData):
+ Keep the CString in scope while we are using it.
+
2020-08-25 Andres Gonzalez <[email protected]>
Crash in WebCore::AccessibilityRenderObject::textUnderElement in isolated tree mode.
Modified: trunk/Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp (266139 => 266140)
--- trunk/Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp 2020-08-25 19:04:30 UTC (rev 266139)
+++ trunk/Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp 2020-08-25 19:09:16 UTC (rev 266140)
@@ -187,19 +187,19 @@
auto mimeType = parseMIMEType(contentType);
if (auto multipartBoundary = parseMultipartBoundary(mimeType)) {
String boundaryWithDashes = makeString("--", *multipartBoundary);
- const char* boundary = boundaryWithDashes.utf8().data();
- size_t boundaryLength = strlen(boundary);
+ CString boundary = boundaryWithDashes.utf8();
+ size_t boundaryLength = boundary.length();
- const char* currentBoundary = static_cast<const char*>(memmem(data, length, boundary, boundaryLength));
+ const char* currentBoundary = static_cast<const char*>(memmem(data, length, boundary.data(), boundaryLength));
if (!currentBoundary)
return nullptr;
- const char* nextBoundary = static_cast<const char*>(memmem(currentBoundary + boundaryLength, length - (currentBoundary + boundaryLength - data), boundary, boundaryLength));
+ const char* nextBoundary = static_cast<const char*>(memmem(currentBoundary + boundaryLength, length - (currentBoundary + boundaryLength - data), boundary.data(), boundaryLength));
if (!nextBoundary)
return nullptr;
while (nextBoundary) {
parseMultipartPart(currentBoundary + boundaryLength, nextBoundary - currentBoundary - boundaryLength - strlen("\r\n"), form.get());
currentBoundary = nextBoundary;
- nextBoundary = static_cast<const char*>(memmem(nextBoundary + boundaryLength, length - (nextBoundary + boundaryLength - data), boundary, boundaryLength));
+ nextBoundary = static_cast<const char*>(memmem(nextBoundary + boundaryLength, length - (nextBoundary + boundaryLength - data), boundary.data(), boundaryLength));
}
} else if (mimeType && equalIgnoringASCIICase(mimeType->type, "application") && equalIgnoringASCIICase(mimeType->subtype, "x-www-form-urlencoded")) {
auto dataString = String::fromUTF8(data, length);