WebKit Bugzilla
Attachment 362556 Details for
Bug 194877
: URL percent-encode operations should use checked arithmetic for buffer allocation length
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-194877-20190220154408.patch (text/plain), 2.83 KB, created by
Alex Christensen
on 2019-02-20 15:44:08 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Alex Christensen
Created:
2019-02-20 15:44:08 PST
Size:
2.83 KB
patch
obsolete
>Index: Source/WTF/ChangeLog >=================================================================== >--- Source/WTF/ChangeLog (revision 241846) >+++ Source/WTF/ChangeLog (working copy) >@@ -1,3 +1,16 @@ >+2019-02-20 Alex Christensen <achristensen@webkit.org> >+ >+ URL percent-encode operations should use checked arithmetic for buffer allocation length >+ https://bugs.webkit.org/show_bug.cgi?id=194877 >+ <rdar://problem/48212062> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * wtf/URLHelpers.cpp: >+ (WTF::URLHelpers::userVisibleURL): >+ * wtf/cocoa/NSURLExtras.mm: >+ (WTF::dataWithUserTypedString): >+ > 2019-02-20 Andy Estes <aestes@apple.com> > > [Xcode] Add SDKVariant.xcconfig to various Xcode projects >Index: Source/WTF/wtf/URLHelpers.cpp >=================================================================== >--- Source/WTF/wtf/URLHelpers.cpp (revision 241753) >+++ Source/WTF/wtf/URLHelpers.cpp (working copy) >@@ -808,9 +808,11 @@ String userVisibleURL(const CString& url > > bool mayNeedHostNameDecoding = false; > >- // The buffer should be large enough to %-escape every character. >- int bufferLength = (length * 3) + 1; >- Vector<char, urlBytesBufferLength> after(bufferLength); >+ Checked<int, RecordOverflow> bufferLength = length; >+ bufferLength = bufferLength * 3 + 1; // The buffer should be large enough to %-escape every character. >+ if (bufferLength.hasOverflowed()) >+ return { }; >+ Vector<char, urlBytesBufferLength> after(bufferLength.unsafeGet()); > > char* q = after.data(); > { >@@ -850,7 +852,7 @@ String userVisibleURL(const CString& url > // then we will copy back bytes to the start of the buffer > // as we convert. > int afterlength = q - after.data(); >- char* p = after.data() + bufferLength - afterlength - 1; >+ char* p = after.data() + bufferLength.unsafeGet() - afterlength - 1; > memmove(p, after.data(), afterlength + 1); // copies trailing '\0' > char* q = after.data(); > while (*p) { >Index: Source/WTF/wtf/cocoa/NSURLExtras.mm >=================================================================== >--- Source/WTF/wtf/cocoa/NSURLExtras.mm (revision 241753) >+++ Source/WTF/wtf/cocoa/NSURLExtras.mm (working copy) >@@ -194,8 +194,13 @@ static NSData *dataWithUserTypedString(N > int inLength = [userTypedData length]; > if (!inLength) > return nil; >+ >+ Checked<int, RecordOverflow> mallocLength = inLength; >+ mallocLength *= 3; // large enough to %-escape every character >+ if (mallocLength.hasOverflowed()) >+ return nil; > >- char* outBytes = static_cast<char *>(malloc(inLength * 3)); // large enough to %-escape every character >+ char* outBytes = static_cast<char *>(malloc(mallocLength.unsafeGet())); > char* p = outBytes; > int outLength = 0; > for (int i = 0; i < inLength; i++) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=362556">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 194877
: 362556