Changeset 206126 in webkit


Ignore:
Timestamp:
Sep 19, 2016 4:05:11 PM (8 years ago)
Author:
achristensen@apple.com
Message:

URLParser can read memory out of bounds
https://bugs.webkit.org/show_bug.cgi?id=162206

Reviewed by Geoff Garen.

Source/WebCore:

Covered by new API tests.
URLParser is disabled by default still.

  • platform/URLParser.cpp:

(WebCore::parseIPv4Host):
If there are fewer than two numbers in an ipv4 address, we would subtract two from the Vector's size,
causing us to read memory up to std::numeric_limits<size_t>::max() - 2. Added a bounds check and many tests.

Tools:

  • TestWebKitAPI/Tests/WebCore/URLParser.cpp:

(TestWebKitAPI::TEST_F):

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r206125 r206126  
     12016-09-19  Alex Christensen  <achristensen@webkit.org>
     2
     3        URLParser can read memory out of bounds
     4        https://bugs.webkit.org/show_bug.cgi?id=162206
     5
     6        Reviewed by Geoff Garen.
     7
     8        Covered by new API tests.
     9        URLParser is disabled by default still.
     10
     11        * platform/URLParser.cpp:
     12        (WebCore::parseIPv4Host):
     13        If there are fewer than two numbers in an ipv4 address, we would subtract two from the Vector's size,
     14        causing us to read memory up to std::numeric_limits<size_t>::max() - 2.  Added a bounds check and many tests.
     15
    1162016-09-19  Alex Christensen  <achristensen@webkit.org>
    217
  • trunk/Source/WebCore/platform/URLParser.cpp

    r206125 r206126  
    17701770    if (!items.size() || items.size() > 4)
    17711771        return Nullopt;
    1772     for (size_t i = 0; i < items.size() - 2; i++) {
    1773         if (items[i] > 255)
    1774             return Nullopt;
     1772    if (items.size() > 2) {
     1773        for (size_t i = 0; i < items.size() - 2; i++) {
     1774            if (items[i] > 255)
     1775                return Nullopt;
     1776        }
    17751777    }
    17761778    if (items[items.size() - 1] >= pow256(5 - items.size()))
  • trunk/Tools/ChangeLog

    r206119 r206126  
     12016-09-19  Alex Christensen  <achristensen@webkit.org>
     2
     3        URLParser can read memory out of bounds
     4        https://bugs.webkit.org/show_bug.cgi?id=162206
     5
     6        Reviewed by Geoff Garen.
     7
     8        * TestWebKitAPI/Tests/WebCore/URLParser.cpp:
     9        (TestWebKitAPI::TEST_F):
     10
    1112016-09-19  Daniel Bates  <dabates@apple.com>
    212
  • trunk/Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp

    r206042 r206126  
    208208    checkURL("notspecial:", {"notspecial", "", "", "", 0, "", "", "", "notspecial:"});
    209209    checkURL("http:/a", {"http", "", "", "a", 0, "/", "", "", "http://a/"});
     210    checkURL("http://256/", {"http", "", "", "256", 0, "/", "", "", "http://256/"});
     211    checkURL("http://256./", {"http", "", "", "256.", 0, "/", "", "", "http://256./"});
     212    checkURL("http://123.256/", {"http", "", "", "123.256", 0, "/", "", "", "http://123.256/"});
    210213    // FIXME: Fix and add a test with an invalid surrogate pair at the end with a space as the second code unit.
    211214
     
    509512        {"http", "`{}", "`{}", "h", 0, "/%60%7B%7D", "`{}", "", "http://%60%7B%7D:%60%7B%7D@h/%60%7B%7D?`{}"},
    510513        {"", "", "", "", 0, "", "", "", "http://`{}:`{}@h/`{}?`{}"});
     514    checkURLDifferences("http://[0:f::f::f]",
     515        {"", "", "", "", 0, "" , "", "", "http://[0:f::f::f]"},
     516        {"http", "", "", "[0:f::f::f]", 0, "/" , "", "", "http://[0:f::f::f]/"});
     517    checkURLDifferences("http://123",
     518        {"http", "", "", "0.0.0.123", 0, "/", "", "", "http://0.0.0.123/"},
     519        {"http", "", "", "123", 0, "/", "", "", "http://123/"});
     520    checkURLDifferences("http://123.234/",
     521        {"http", "", "", "123.0.0.234", 0, "/", "", "", "http://123.0.0.234/"},
     522        {"http", "", "", "123.234", 0, "/", "", "", "http://123.234/"});
     523    checkURLDifferences("http://123.234.012",
     524        {"http", "", "", "123.234.0.10", 0, "/", "", "", "http://123.234.0.10/"},
     525        {"http", "", "", "123.234.012", 0, "/", "", "", "http://123.234.012/"});
     526    checkURLDifferences("http://123.234.12",
     527        {"http", "", "", "123.234.0.12", 0, "/", "", "", "http://123.234.0.12/"},
     528        {"http", "", "", "123.234.12", 0, "/", "", "", "http://123.234.12/"});
    511529}
    512530
Note: See TracChangeset for help on using the changeset viewer.