[webkit-changes] [131315] trunk

Mon, 15 Oct 2012 10:24:43 -0700

Title: [131315] trunk
Revision
131315
Author
jcive...@chromium.org
Date
2012-10-15 10:25:58 -0700 (Mon, 15 Oct 2012)

Log Message

Calling WebCore::SharedBuffer::append(data, 0) on a shared buffer when
its current position is at a segment boundary (4096) ends up adding an
unitialized segment (with uninitialized memory) to the SharedBuffer.
https://bugs.webkit.org/show_bug.cgi?id=99000

Reviewed by Adam Barth.

Source/WebCore:

* platform/SharedBuffer.cpp:
(WebCore::SharedBuffer::append):

LayoutTests:

* mhtml/shared_buffer_bug-expected.txt: Added.
* mhtml/shared_buffer_bug.mht: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (131314 => 131315)


--- trunk/LayoutTests/ChangeLog	2012-10-15 17:15:34 UTC (rev 131314)
+++ trunk/LayoutTests/ChangeLog	2012-10-15 17:25:58 UTC (rev 131315)
@@ -1,3 +1,15 @@
+2012-10-15  Jay Civelli  <jcive...@chromium.org>
+
+        Calling WebCore::SharedBuffer::append(data, 0) on a shared buffer when
+        its current position is at a segment boundary (4096) ends up adding an
+        unitialized segment (with uninitialized memory) to the SharedBuffer.
+        https://bugs.webkit.org/show_bug.cgi?id=99000
+
+        Reviewed by Adam Barth.
+
+        * mhtml/shared_buffer_bug-expected.txt: Added.
+        * mhtml/shared_buffer_bug.mht: Added.
+
 2012-10-15  Luke Macpherson   <macpher...@chromium.org>
 
         Make CSS variable names case-insensitive.

Added: trunk/LayoutTests/mhtml/shared_buffer_bug-expected.txt (0 => 131315)


--- trunk/LayoutTests/mhtml/shared_buffer_bug-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/mhtml/shared_buffer_bug-expected.txt	2012-10-15 17:25:58 UTC (rev 131315)
@@ -0,0 +1,2 @@
+This is a test for a bug in SharedBuffer.
+

Added: trunk/LayoutTests/mhtml/shared_buffer_bug.mht (0 => 131315)


--- trunk/LayoutTests/mhtml/shared_buffer_bug.mht	                        (rev 0)
+++ trunk/LayoutTests/mhtml/shared_buffer_bug.mht	2012-10-15 17:25:58 UTC (rev 131315)
@@ -0,0 +1,176 @@
+From: <Saved by WebKit>
+Subject:
+Date: Sat, 12 Oct 2012 10:15:17 -0700
+MIME-Version: 1.0
+Content-Type: multipart/related;
+	type="text/html";
+	boundary="----=_NextPart_000_7387_D22A981E.ADD1887E"
+
+------=_NextPart_000_7387_D22A981E.ADD1887E
+Content-Type: text/html
+Content-Transfer-Encoding: quoted-printable
+Content-Location: http://localhost/sharred_buffer_bug.html
+
+<html><head><meta charset=3D"ISO-8859-1">
+<link rel=3D"stylesheet" type=3D"text/css" href=""
+es/style.css">
+<script>
+if (window.testRunner) {
+  testRunner.dumpAsText();
+}
+</script>
+
+</head>
+
+<body>
+  This is a test for a bug in SharedBuffer.
+  <h1>This text should not be shown</h1>
+
+
+
+</body></html>
+------=_NextPart_000_7387_D22A981E.ADD1887E
+Content-Type: text/css
+Content-Transfer-Encoding: quoted-printable
+Content-Location: http://localhost/resources/style.css
+
+/*
+The point is to reach a size of n * 4096 bytes (with n > 1)
+followed by a blank line to trigger a bug in SharredBuffer.
+
+Let's go:
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+*/
+
+
+h1 { visibility: hidden; }
+
+------=_NextPart_000_7387_D22A981E.ADD1887E--

Modified: trunk/Source/WebCore/ChangeLog (131314 => 131315)


--- trunk/Source/WebCore/ChangeLog	2012-10-15 17:15:34 UTC (rev 131314)
+++ trunk/Source/WebCore/ChangeLog	2012-10-15 17:25:58 UTC (rev 131315)
@@ -1,3 +1,15 @@
+2012-10-15  Jay Civelli  <jcive...@chromium.org>
+
+        Calling WebCore::SharedBuffer::append(data, 0) on a shared buffer when
+        its current position is at a segment boundary (4096) ends up adding an
+        unitialized segment (with uninitialized memory) to the SharedBuffer.
+        https://bugs.webkit.org/show_bug.cgi?id=99000
+
+        Reviewed by Adam Barth.
+
+        * platform/SharedBuffer.cpp:
+        (WebCore::SharedBuffer::append):
+
 2012-10-15  Luke Macpherson   <macpher...@chromium.org>
 
         Make CSS variable names case-insensitive.

Modified: trunk/Source/WebCore/platform/SharedBuffer.cpp (131314 => 131315)


--- trunk/Source/WebCore/platform/SharedBuffer.cpp	2012-10-15 17:15:34 UTC (rev 131314)
+++ trunk/Source/WebCore/platform/SharedBuffer.cpp	2012-10-15 17:25:58 UTC (rev 131315)
@@ -148,6 +148,8 @@
 void SharedBuffer::append(const char* data, unsigned length)
 {
     ASSERT(!m_purgeableBuffer);
+    if (!length)
+        return;
 
     maybeTransferPlatformData();
     

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to