Changeset 206126 in webkit
- Timestamp:
- Sep 19, 2016 4:05:11 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r206125 r206126 1 2016-09-19 Alex Christensen <achristensen@webkit.org> 2 3 URLParser can read memory out of bounds 4 https://bugs.webkit.org/show_bug.cgi?id=162206 5 6 Reviewed by Geoff Garen. 7 8 Covered by new API tests. 9 URLParser is disabled by default still. 10 11 * platform/URLParser.cpp: 12 (WebCore::parseIPv4Host): 13 If there are fewer than two numbers in an ipv4 address, we would subtract two from the Vector's size, 14 causing us to read memory up to std::numeric_limits<size_t>::max() - 2. Added a bounds check and many tests. 15 1 16 2016-09-19 Alex Christensen <achristensen@webkit.org> 2 17 -
trunk/Source/WebCore/platform/URLParser.cpp
r206125 r206126 1770 1770 if (!items.size() || items.size() > 4) 1771 1771 return Nullopt; 1772 for (size_t i = 0; i < items.size() - 2; i++) { 1773 if (items[i] > 255) 1774 return Nullopt; 1772 if (items.size() > 2) { 1773 for (size_t i = 0; i < items.size() - 2; i++) { 1774 if (items[i] > 255) 1775 return Nullopt; 1776 } 1775 1777 } 1776 1778 if (items[items.size() - 1] >= pow256(5 - items.size())) -
trunk/Tools/ChangeLog
r206119 r206126 1 2016-09-19 Alex Christensen <achristensen@webkit.org> 2 3 URLParser can read memory out of bounds 4 https://bugs.webkit.org/show_bug.cgi?id=162206 5 6 Reviewed by Geoff Garen. 7 8 * TestWebKitAPI/Tests/WebCore/URLParser.cpp: 9 (TestWebKitAPI::TEST_F): 10 1 11 2016-09-19 Daniel Bates <dabates@apple.com> 2 12 -
trunk/Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp
r206042 r206126 208 208 checkURL("notspecial:", {"notspecial", "", "", "", 0, "", "", "", "notspecial:"}); 209 209 checkURL("http:/a", {"http", "", "", "a", 0, "/", "", "", "http://a/"}); 210 checkURL("http://256/", {"http", "", "", "256", 0, "/", "", "", "http://256/"}); 211 checkURL("http://256./", {"http", "", "", "256.", 0, "/", "", "", "http://256./"}); 212 checkURL("http://123.256/", {"http", "", "", "123.256", 0, "/", "", "", "http://123.256/"}); 210 213 // FIXME: Fix and add a test with an invalid surrogate pair at the end with a space as the second code unit. 211 214 … … 509 512 {"http", "`{}", "`{}", "h", 0, "/%60%7B%7D", "`{}", "", "http://%60%7B%7D:%60%7B%7D@h/%60%7B%7D?`{}"}, 510 513 {"", "", "", "", 0, "", "", "", "http://`{}:`{}@h/`{}?`{}"}); 514 checkURLDifferences("http://[0:f::f::f]", 515 {"", "", "", "", 0, "" , "", "", "http://[0:f::f::f]"}, 516 {"http", "", "", "[0:f::f::f]", 0, "/" , "", "", "http://[0:f::f::f]/"}); 517 checkURLDifferences("http://123", 518 {"http", "", "", "0.0.0.123", 0, "/", "", "", "http://0.0.0.123/"}, 519 {"http", "", "", "123", 0, "/", "", "", "http://123/"}); 520 checkURLDifferences("http://123.234/", 521 {"http", "", "", "123.0.0.234", 0, "/", "", "", "http://123.0.0.234/"}, 522 {"http", "", "", "123.234", 0, "/", "", "", "http://123.234/"}); 523 checkURLDifferences("http://123.234.012", 524 {"http", "", "", "123.234.0.10", 0, "/", "", "", "http://123.234.0.10/"}, 525 {"http", "", "", "123.234.012", 0, "/", "", "", "http://123.234.012/"}); 526 checkURLDifferences("http://123.234.12", 527 {"http", "", "", "123.234.0.12", 0, "/", "", "", "http://123.234.0.12/"}, 528 {"http", "", "", "123.234.12", 0, "/", "", "", "http://123.234.12/"}); 511 529 } 512 530
Note: See TracChangeset
for help on using the changeset viewer.