Source/WebCore:
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Mar 2016 16:02:22 +0000 (16:02 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Mar 2016 16:02:22 +0000 (16:02 +0000)
SharedBuffer::copy() can cause a segmentation fault.
https://bugs.webkit.org/show_bug.cgi?id=155739

Reviewed by Ryosuke Niwa.

Based on a Blink patch by Huang Dongsung <luxtella@company100.net>.
<https://src.chromium.org/viewvc/blink?revision=153850&view=revision>

After SharedBuffer::copy(), SharedBuffer::append() can cause segmentation fault,
because copy() calls clone->m_buffer.append(m_segments[i], segmentSize) even if
'i' is the last index. The data size of m_segments.last() is often less than
segmentSize. So, in the cloned instance m_size < (m_buffer.size() + SUM(m_segments[i].size())).
This patch appends the exact size of the last segment instead of segmentSize.

Tested by TestWebKitAPI SharedBufferTest::copy

* platform/SharedBuffer.cpp:
(SharedBuffer::copy):

Tools:
[Win] SharedBuffer::copy() can cause a segmentation fault.
https://bugs.webkit.org/show_bug.cgi?id=155739

Reviewed by Ryosuke Niwa.

* TestWebKitAPI/PlatformWin.cmake: Build and run the
SharedBuffer tests.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198530 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/platform/SharedBuffer.cpp
Tools/ChangeLog
Tools/TestWebKitAPI/PlatformWin.cmake

index ea81840..2814d7f 100644 (file)
@@ -1,3 +1,24 @@
+2016-03-22  Brent Fulgham  <bfulgham@apple.com>
+
+        SharedBuffer::copy() can cause a segmentation fault.
+        https://bugs.webkit.org/show_bug.cgi?id=155739
+
+        Reviewed by Ryosuke Niwa.
+
+        Based on a Blink patch by Huang Dongsung <luxtella@company100.net>.
+        <https://src.chromium.org/viewvc/blink?revision=153850&view=revision>
+
+        After SharedBuffer::copy(), SharedBuffer::append() can cause segmentation fault,
+        because copy() calls clone->m_buffer.append(m_segments[i], segmentSize) even if
+        'i' is the last index. The data size of m_segments.last() is often less than
+        segmentSize. So, in the cloned instance m_size < (m_buffer.size() + SUM(m_segments[i].size())).
+        This patch appends the exact size of the last segment instead of segmentSize.
+
+        Tested by TestWebKitAPI SharedBufferTest::copy
+
+        * platform/SharedBuffer.cpp:
+        (SharedBuffer::copy): 
+
 2016-03-22  Alberto Garcia  <berto@igalia.com>
 
         Unreviewed typo fix.
index 7d23990..0f340de 100644 (file)
@@ -264,8 +264,14 @@ Ref<SharedBuffer> SharedBuffer::copy() const
     clone->m_buffer->data.append(m_buffer->data.data(), m_buffer->data.size());
 
 #if !USE(NETWORK_CFDATA_ARRAY_CALLBACK)
-    for (char* segment : m_segments)
-        clone->m_buffer->data.append(segment, segmentSize);
+    if (!m_segments.isEmpty()) {
+        unsigned lastIndex = m_segments.size() - 1;
+        for (unsigned i = 0; i < lastIndex; ++i)
+            clone->m_buffer->data.append(m_segments[i], segmentSize);
+
+        unsigned sizeOfLastSegment = m_size - m_buffer->data.size() - lastIndex * segmentSize;
+        clone->m_buffer->data.append(m_segments.last(), sizeOfLastSegment);
+    }
 #else
     for (auto& data : m_dataArray)
         clone->m_dataArray.append(data.get());
index 97853be..b8c094b 100644 (file)
@@ -1,3 +1,13 @@
+2016-03-21  Brent Fulgham  <bfulgham@apple.com>
+
+        [Win] SharedBuffer::copy() can cause a segmentation fault.
+        https://bugs.webkit.org/show_bug.cgi?id=155739
+
+        Reviewed by Ryosuke Niwa.
+
+        * TestWebKitAPI/PlatformWin.cmake: Build and run the
+        SharedBuffer tests.
+
 2016-03-22  Csaba Osztrogon√°c  <ossy@webkit.org>
 
         [buildbot] Move ARM Linux bots to JSCOnly port
index 66df4b6..2bdbff3 100644 (file)
@@ -18,6 +18,7 @@ set(test_main_SOURCES
 include_directories(
     ${DERIVED_SOURCES_DIR}
     ${DERIVED_SOURCES_DIR}/ForwardingHeaders
+    ${DERIVED_SOURCES_DIR}/ForwardingHeaders/JavaScriptCore
     ${TESTWEBKITAPI_DIR}/win
     ${DERIVED_SOURCES_DIR}/WebKit/Interfaces
 )
@@ -43,6 +44,7 @@ set(TestWebCoreLib_SOURCES
     ${TESTWEBKITAPI_DIR}/Tests/WebCore/HTMLParserIdioms.cpp
     ${TESTWEBKITAPI_DIR}/Tests/WebCore/LayoutUnit.cpp
     ${TESTWEBKITAPI_DIR}/Tests/WebCore/ParsedContentRange.cpp
+    ${TESTWEBKITAPI_DIR}/Tests/WebCore/SharedBuffer.cpp
     ${TESTWEBKITAPI_DIR}/Tests/WebCore/TimeRanges.cpp
     ${TESTWEBKITAPI_DIR}/Tests/WebCore/URL.cpp
 )