Skip to site navigation (Press enter)

[webkit-changes] [198530] trunk

bfulgham Tue, 22 Mar 2016 09:02:34 -0700

Title: [198530] trunk

Revision: 198530
Author: [email protected]
Date: 2016-03-22 09:02:22 -0700 (Tue, 22 Mar 2016)

Log Message

Source/WebCore:
SharedBuffer::copy() can cause a segmentation fault.
https://bugs.webkit.org/show_bug.cgi?id=155739


Reviewed by Ryosuke Niwa.

Based on a Blink patch by Huang Dongsung <[email protected]>.
<https://src.chromium.org/viewvc/blink?revision=153850&view=revision>

After SharedBuffer::copy(), SharedBuffer::append() can cause segmentation fault,
because copy() calls clone->m_buffer.append(m_segments[i], segmentSize) even if
'i' is the last index. The data size of m_segments.last() is often less than
segmentSize. So, in the cloned instance m_size < (m_buffer.size() + SUM(m_segments[i].size())).
This patch appends the exact size of the last segment instead of segmentSize.

Tested by TestWebKitAPI SharedBufferTest::copy

* platform/SharedBuffer.cpp:
(SharedBuffer::copy): 

Tools:
[Win] SharedBuffer::copy() can cause a segmentation fault.
https://bugs.webkit.org/show_bug.cgi?id=155739

Reviewed by Ryosuke Niwa.

* TestWebKitAPI/PlatformWin.cmake: Build and run the
SharedBuffer tests.

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/platform/SharedBuffer.cpp
trunk/Tools/ChangeLog
trunk/Tools/TestWebKitAPI/PlatformWin.cmake

Diff

Modified: trunk/Source/WebCore/ChangeLog (198529 => 198530)


--- trunk/Source/WebCore/ChangeLog	2016-03-22 15:29:15 UTC (rev 198529)
+++ trunk/Source/WebCore/ChangeLog	2016-03-22 16:02:22 UTC (rev 198530)
@@ -1,3 +1,24 @@
+2016-03-22  Brent Fulgham  <[email protected]>
+
+        SharedBuffer::copy() can cause a segmentation fault.
+        https://bugs.webkit.org/show_bug.cgi?id=155739
+
+        Reviewed by Ryosuke Niwa.
+
+        Based on a Blink patch by Huang Dongsung <[email protected]>.
+        <https://src.chromium.org/viewvc/blink?revision=153850&view=revision>
+
+        After SharedBuffer::copy(), SharedBuffer::append() can cause segmentation fault,
+        because copy() calls clone->m_buffer.append(m_segments[i], segmentSize) even if
+        'i' is the last index. The data size of m_segments.last() is often less than
+        segmentSize. So, in the cloned instance m_size < (m_buffer.size() + SUM(m_segments[i].size())).
+        This patch appends the exact size of the last segment instead of segmentSize.
+
+        Tested by TestWebKitAPI SharedBufferTest::copy
+
+        * platform/SharedBuffer.cpp:
+        (SharedBuffer::copy): 
+
 2016-03-22  Alberto Garcia  <[email protected]>
 
         Unreviewed typo fix.

Modified: trunk/Source/WebCore/platform/SharedBuffer.cpp (198529 => 198530)


--- trunk/Source/WebCore/platform/SharedBuffer.cpp	2016-03-22 15:29:15 UTC (rev 198529)
+++ trunk/Source/WebCore/platform/SharedBuffer.cpp	2016-03-22 16:02:22 UTC (rev 198530)
@@ -264,8 +264,14 @@
     clone->m_buffer->data.append(m_buffer->data.data(), m_buffer->data.size());
 
 #if !USE(NETWORK_CFDATA_ARRAY_CALLBACK)
-    for (char* segment : m_segments)
-        clone->m_buffer->data.append(segment, segmentSize);
+    if (!m_segments.isEmpty()) {
+        unsigned lastIndex = m_segments.size() - 1;
+        for (unsigned i = 0; i < lastIndex; ++i)
+            clone->m_buffer->data.append(m_segments[i], segmentSize);
+
+        unsigned sizeOfLastSegment = m_size - m_buffer->data.size() - lastIndex * segmentSize;
+        clone->m_buffer->data.append(m_segments.last(), sizeOfLastSegment);
+    }
 #else
     for (auto& data : m_dataArray)
         clone->m_dataArray.append(data.get());

Modified: trunk/Tools/ChangeLog (198529 => 198530)


--- trunk/Tools/ChangeLog	2016-03-22 15:29:15 UTC (rev 198529)
+++ trunk/Tools/ChangeLog	2016-03-22 16:02:22 UTC (rev 198530)
@@ -1,3 +1,13 @@
+2016-03-21  Brent Fulgham  <[email protected]>
+
+        [Win] SharedBuffer::copy() can cause a segmentation fault.
+        https://bugs.webkit.org/show_bug.cgi?id=155739
+
+        Reviewed by Ryosuke Niwa.
+
+        * TestWebKitAPI/PlatformWin.cmake: Build and run the
+        SharedBuffer tests.
+
 2016-03-22  Csaba Osztrogonác  <[email protected]>
 
         [buildbot] Move ARM Linux bots to JSCOnly port

Modified: trunk/Tools/TestWebKitAPI/PlatformWin.cmake (198529 => 198530)


--- trunk/Tools/TestWebKitAPI/PlatformWin.cmake	2016-03-22 15:29:15 UTC (rev 198529)
+++ trunk/Tools/TestWebKitAPI/PlatformWin.cmake	2016-03-22 16:02:22 UTC (rev 198530)
@@ -18,6 +18,7 @@
 include_directories(
     ${DERIVED_SOURCES_DIR}
     ${DERIVED_SOURCES_DIR}/ForwardingHeaders
+    ${DERIVED_SOURCES_DIR}/ForwardingHeaders/_javascript_Core
     ${TESTWEBKITAPI_DIR}/win
     ${DERIVED_SOURCES_DIR}/WebKit/Interfaces
 )
@@ -43,6 +44,7 @@
     ${TESTWEBKITAPI_DIR}/Tests/WebCore/HTMLParserIdioms.cpp
     ${TESTWEBKITAPI_DIR}/Tests/WebCore/LayoutUnit.cpp
     ${TESTWEBKITAPI_DIR}/Tests/WebCore/ParsedContentRange.cpp
+    ${TESTWEBKITAPI_DIR}/Tests/WebCore/SharedBuffer.cpp
     ${TESTWEBKITAPI_DIR}/Tests/WebCore/TimeRanges.cpp
     ${TESTWEBKITAPI_DIR}/Tests/WebCore/URL.cpp
 )

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes