Modified: branches/safari-610-branch/Source/WebCore/ChangeLog (266429 => 266430)
--- branches/safari-610-branch/Source/WebCore/ChangeLog 2020-09-02 01:19:09 UTC (rev 266429)
+++ branches/safari-610-branch/Source/WebCore/ChangeLog 2020-09-02 01:19:11 UTC (rev 266430)
@@ -1,5 +1,29 @@
2020-09-01 Alan Coon <[email protected]>
+ Cherry-pick r266140. rdar://problem/68164582
+
+ Fix read-after-free introduced in r266087
+ https://bugs.webkit.org/show_bug.cgi?id=215671
+
+ * Modules/fetch/FetchBodyConsumer.cpp:
+ (WebCore::packageFormData):
+ Keep the CString in scope while we are using it.
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266140 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-08-25 Alex Christensen <[email protected]>
+
+ Fix read-after-free introduced in r266087
+ https://bugs.webkit.org/show_bug.cgi?id=215671
+
+ * Modules/fetch/FetchBodyConsumer.cpp:
+ (WebCore::packageFormData):
+ Keep the CString in scope while we are using it.
+
+2020-09-01 Alan Coon <[email protected]>
+
Cherry-pick r266268. rdar://problem/68107183
Remove the feature flag for capped cookies set in 3rd-party CNAME cloaked HTTP responses and add ITP debug logging
Modified: branches/safari-610-branch/Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp (266429 => 266430)
--- branches/safari-610-branch/Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp 2020-09-02 01:19:09 UTC (rev 266429)
+++ branches/safari-610-branch/Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp 2020-09-02 01:19:11 UTC (rev 266430)
@@ -187,19 +187,19 @@
auto mimeType = parseMIMEType(contentType);
if (auto multipartBoundary = parseMultipartBoundary(mimeType)) {
String boundaryWithDashes = makeString("--", *multipartBoundary);
- const char* boundary = boundaryWithDashes.utf8().data();
- size_t boundaryLength = strlen(boundary);
+ CString boundary = boundaryWithDashes.utf8();
+ size_t boundaryLength = boundary.length();
- const char* currentBoundary = static_cast<const char*>(memmem(data, length, boundary, boundaryLength));
+ const char* currentBoundary = static_cast<const char*>(memmem(data, length, boundary.data(), boundaryLength));
if (!currentBoundary)
return nullptr;
- const char* nextBoundary = static_cast<const char*>(memmem(currentBoundary + boundaryLength, length - (currentBoundary + boundaryLength - data), boundary, boundaryLength));
+ const char* nextBoundary = static_cast<const char*>(memmem(currentBoundary + boundaryLength, length - (currentBoundary + boundaryLength - data), boundary.data(), boundaryLength));
if (!nextBoundary)
return nullptr;
while (nextBoundary) {
parseMultipartPart(currentBoundary + boundaryLength, nextBoundary - currentBoundary - boundaryLength - strlen("\r\n"), form.get());
currentBoundary = nextBoundary;
- nextBoundary = static_cast<const char*>(memmem(nextBoundary + boundaryLength, length - (nextBoundary + boundaryLength - data), boundary, boundaryLength));
+ nextBoundary = static_cast<const char*>(memmem(nextBoundary + boundaryLength, length - (nextBoundary + boundaryLength - data), boundary.data(), boundaryLength));
}
} else if (mimeType && equalIgnoringASCIICase(mimeType->type, "application") && equalIgnoringASCIICase(mimeType->subtype, "x-www-form-urlencoded")) {
auto dataString = String::fromUTF8(data, length);
