Bug 187239

Summary: [WPE][GTK] Another use after free in xdgmime
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, calvaris, cgarcia, commit-queue, ews-watchlist, mcatanzaro
Priority: P2    
Version: Other   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Patch
none
Archive of layout-test-results from ews204 for win-future none

Description Michael Catanzaro 2018-07-01 19:54:00 PDT 
Chromium has this patch to xdgmime:

diff --git a/base/third_party/xdg_mime/xdgmime.c b/base/third_party/xdg_mime/xdgmime.c
index c7b16bb..6dc58c2 100644
--- a/base/third_party/xdg_mime/xdgmime.c
+++ b/base/third_party/xdg_mime/xdgmime.c
@@ -558,13 +558,13 @@ xdg_mime_get_mime_type_for_file (const char  *file_name,
   mime_type = _xdg_mime_magic_lookup_data (global_magic, data, bytes_read, NULL,
 					   mime_types, n);
 
-  free (data);
   fclose (file);
 
-  if (mime_type)
-    return mime_type;
+  if (!mime_type)
+    mime_type = _xdg_binary_or_text_fallback(data, bytes_read);
 
-  return _xdg_binary_or_text_fallback(data, bytes_read);
+  free (data);
+  return mime_type;
 }
 
 const char *

I'm pretty sure this code is never executed by either Chromium or WebKit, but I'm not comfortable with leaving it broken, so we should include this patch. It has been submitted to upstream at https://bugs.freedesktop.org/show_bug.cgi?id=100733, but the maintainer has indicated a disinterest in continuing to maintain upstream xdgmime, probably because it is xdgmime.
Comment 1 Michael Catanzaro 2018-07-02 09:25:59 PDT 
Created attachment 344105 [details]
Patch
Comment 2 EWS Watchlist 2018-07-02 12:13:10 PDT 
Comment on attachment 344105 [details]
Patch

Attachment 344105 [details] did not pass win-ews (win):
Output: https://webkit-queues.webkit.org/results/8414330

New failing tests:
http/tests/preload/onload_event.html
Comment 3 EWS Watchlist 2018-07-02 12:13:21 PDT 
Created attachment 344126 [details]
Archive of layout-test-results from ews204 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews204  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Comment 4 Carlos Garcia Campos 2018-07-02 23:39:01 PDT 
Comment on attachment 344105 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=344105&action=review

> Source/ThirdParty/xdgmime/README.webkit:24
> +Changes included from Chromium:
> +
> + - c432cac0a0beb77c63081536fc9d53b40e642cbf small patch that fixes potential crash in xdg_mime_get_mime_type_for_file() - use of pointer after being freed.

This should be upstreamed, no?
Comment 5 WebKit Commit Bot 2018-07-03 00:06:05 PDT 
Comment on attachment 344105 [details]
Patch

Clearing flags on attachment: 344105

Committed r233457: <https://trac.webkit.org/changeset/233457>
Comment 6 WebKit Commit Bot 2018-07-03 00:06:06 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 7 Michael Catanzaro 2018-07-03 07:15:04 PDT 
Like I said, I submitted it for upstream in https://bugs.freedesktop.org/show_bug.cgi?id=100733, but I do not expect it to be accepted.

And this code is not compiled in glib's copy.