Changeset 219385 in webkit


Ignore:
Timestamp:
Jul 12, 2017 12:02:25 AM (7 years ago)
Author:
Carlos Garcia Campos
Message:

[GTK] Crashes in WebCore::PasteboardHelper::fillSelectionData when source file of drag is unavailable
https://bugs.webkit.org/show_bug.cgi?id=174161

Reviewed by Michael Catanzaro.

It seems selection data could contain an empty string, in which case gtk_selection_data_get_data() returns a
valid pointer, but gtk_selection_data_get_length() returns 0. When this happens we end up trying to split an
empty string resulting in an empty vector, but we unconditionally access the first element of the vector.

  • platform/gtk/PasteboardHelper.cpp:

(WebCore::selectionDataToUTF8String): Return a null string in case selection data length is 0.
(WebCore::PasteboardHelper::fillSelectionData): Return early if selection data length is 0, instead of checking
the selection data pointer.

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r219384 r219385  
     12017-07-12  Carlos Garcia Campos  <cgarcia@igalia.com>
     2
     3        [GTK] Crashes in WebCore::PasteboardHelper::fillSelectionData when source file of drag is unavailable
     4        https://bugs.webkit.org/show_bug.cgi?id=174161
     5
     6        Reviewed by Michael Catanzaro.
     7
     8        It seems selection data could contain an empty string, in which case gtk_selection_data_get_data() returns a
     9        valid pointer, but gtk_selection_data_get_length() returns 0. When this happens we end up trying to split an
     10        empty string resulting in an empty vector, but we unconditionally access the first element of the vector.
     11
     12        * platform/gtk/PasteboardHelper.cpp:
     13        (WebCore::selectionDataToUTF8String): Return a null string in case selection data length is 0.
     14        (WebCore::PasteboardHelper::fillSelectionData): Return early if selection data length is 0, instead of checking
     15        the selection data pointer.
     16
    1172017-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
    218
  • trunk/Source/WebCore/platform/gtk/PasteboardHelper.cpp

    r218615 r219385  
    8686static String selectionDataToUTF8String(GtkSelectionData* data)
    8787{
     88    if (!gtk_selection_data_get_length(data))
     89        return String();
     90
    8891    // g_strndup guards against selection data that is not null-terminated.
    8992    GUniquePtr<gchar> markupString(g_strndup(reinterpret_cast<const char*>(gtk_selection_data_get_data(data)), gtk_selection_data_get_length(data)));
     
    207210void PasteboardHelper::fillSelectionData(GtkSelectionData* data, unsigned /* info */, SelectionData& selection)
    208211{
    209     if (!gtk_selection_data_get_data(data))
     212    if (!gtk_selection_data_get_length(data))
    210213        return;
    211214
Note: See TracChangeset for help on using the changeset viewer.