Context Navigation

← Previous Changeset
Next Changeset →

Changeset 225829 in webkit

Timestamp:

Dec 12, 2017 5:54:26 PM (6 years ago)

Author:

achristensen@apple.com

Message:

Fix possible out-of-bounds read in protocolIsInHTTPFamily
https://bugs.webkit.org/show_bug.cgi?id=180688

Reviewed by Daniel Bates.

Source/WebCore:

It wouldn't read very far out of bounds, and it would just change a bool return value,
but it's still out of bounds. Covered by an API test that ASAN wouldn't like.

platform/URL.cpp:

(WebCore::protocolIsInHTTPFamily):
Check bounds before reading a string.

Tools:

TestWebKitAPI/Tests/WebCore/URL.cpp:

(TestWebKitAPI::TEST_F):

Location:

trunk

Files:

: 4 edited

Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/platform/URL.cpp (modified) (1 diff)
Tools/ChangeLog (modified) (1 diff)
Tools/TestWebKitAPI/Tests/WebCore/URL.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/WebCore/ChangeLog

-                      r225828
+                      r225829
+-12-12  Alex Christensen  <achristensen@webkit.org>
+        Fix possible out-of-bounds read in protocolIsInHTTPFamily
+        https://bugs.webkit.org/show_bug.cgi?id=180688
+        Reviewed by Daniel Bates.
+        It wouldn't read very far out of bounds, and it would just change a bool return value,
+        but it's still out of bounds.  Covered by an API test that ASAN wouldn't like.
+        * platform/URL.cpp:
+        (WebCore::protocolIsInHTTPFamily):
+        Check bounds before reading a string.
 -12-12  Youenn Fablet  <youenn@apple.com>

trunk/Source/WebCore/platform/URL.cpp

-                      r225662
+                      r225829
 bool protocolIsInHTTPFamily(const String& url)
+{
+    auto length = url.length();
     // Do the comparison without making a new string object.
+    return isASCIIAlphaCaselessEqual(url[0], 'h')
+    return length >= 5
+        && isASCIIAlphaCaselessEqual(url[0], 'h')
         && isASCIIAlphaCaselessEqual(url[1], 't')
         && isASCIIAlphaCaselessEqual(url[2], 't')
         && isASCIIAlphaCaselessEqual(url[3], 'p')
         && (url[4] == ':' || (isASCIIAlphaCaselessEqual(url[4], 's') && url[5] == ':'));
+        && (url[4] == ':' || (isASCIIAlphaCaselessEqual(url[4], 's') && length >= 6 && url[5] == ':'));
+}

trunk/Tools/ChangeLog

-                      r225824
+                      r225829
+-12-12  Alex Christensen  <achristensen@webkit.org>
+        Fix possible out-of-bounds read in protocolIsInHTTPFamily
+        https://bugs.webkit.org/show_bug.cgi?id=180688
+        Reviewed by Daniel Bates.
+        * TestWebKitAPI/Tests/WebCore/URL.cpp:
+        (TestWebKitAPI::TEST_F):
 -12-12  JF Bastien  <jfbastien@apple.com>

trunk/Tools/TestWebKitAPI/Tests/WebCore/URL.cpp

-                      r222093
+                      r225829
+}
+TEST_F(URLTest, ProtocolIsInHTTPFamily)
+{
+    EXPECT_FALSE(protocolIsInHTTPFamily({}));
+    EXPECT_FALSE(protocolIsInHTTPFamily(""));
+    EXPECT_FALSE(protocolIsInHTTPFamily("a"));
+    EXPECT_FALSE(protocolIsInHTTPFamily("ab"));
+    EXPECT_FALSE(protocolIsInHTTPFamily("abc"));
+    EXPECT_FALSE(protocolIsInHTTPFamily("abcd"));
+    EXPECT_FALSE(protocolIsInHTTPFamily("abcde"));
+    EXPECT_FALSE(protocolIsInHTTPFamily("abcdef"));
+    EXPECT_FALSE(protocolIsInHTTPFamily("abcdefg"));
+    EXPECT_TRUE(protocolIsInHTTPFamily("http:"));
+    EXPECT_FALSE(protocolIsInHTTPFamily("http"));
+    EXPECT_TRUE(protocolIsInHTTPFamily("https:"));
+    EXPECT_FALSE(protocolIsInHTTPFamily("https"));
+    EXPECT_TRUE(protocolIsInHTTPFamily("https://!@#$%^&*()"));
+}
 } // namespace TestWebKitAPI

Note: See TracChangeset for help on using the changeset viewer.