Changeset 266140 in webkit


Ignore:
Timestamp:
Aug 25, 2020 12:09:16 PM (4 years ago)
Author:
achristensen@apple.com
Message:

Fix read-after-free introduced in r266087
https://bugs.webkit.org/show_bug.cgi?id=215671

  • Modules/fetch/FetchBodyConsumer.cpp:

(WebCore::packageFormData):
Keep the CString in scope while we are using it.

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r266136 r266140  
     12020-08-25  Alex Christensen  <achristensen@webkit.org>
     2
     3        Fix read-after-free introduced in r266087
     4        https://bugs.webkit.org/show_bug.cgi?id=215671
     5
     6        * Modules/fetch/FetchBodyConsumer.cpp:
     7        (WebCore::packageFormData):
     8        Keep the CString in scope while we are using it.
     9
    1102020-08-25  Andres Gonzalez  <andresg_22@apple.com>
    211

  • trunk/Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp

    r266087 r266140  
    188188    if (auto multipartBoundary = parseMultipartBoundary(mimeType)) {
    189189        String boundaryWithDashes = makeString("--", *multipartBoundary);
    190         const char* boundary = boundaryWithDashes.utf8().data();
    191         size_t boundaryLength = strlen(boundary);
    192 
    193         const char* currentBoundary = static_cast<const char*>(memmem(data, length, boundary, boundaryLength));
     190        CString boundary = boundaryWithDashes.utf8();
     191        size_t boundaryLength = boundary.length();
     192
     193        const char* currentBoundary = static_cast<const char*>(memmem(data, length, boundary.data(), boundaryLength));
    194194        if (!currentBoundary)
    195195            return nullptr;
    196         const char* nextBoundary = static_cast<const char*>(memmem(currentBoundary + boundaryLength, length - (currentBoundary + boundaryLength - data), boundary, boundaryLength));
     196        const char* nextBoundary = static_cast<const char*>(memmem(currentBoundary + boundaryLength, length - (currentBoundary + boundaryLength - data), boundary.data(), boundaryLength));
    197197        if (!nextBoundary)
    198198            return nullptr;
     
    200200            parseMultipartPart(currentBoundary + boundaryLength, nextBoundary - currentBoundary - boundaryLength - strlen("\r\n"), form.get());
    201201            currentBoundary = nextBoundary;
    202             nextBoundary = static_cast<const char*>(memmem(nextBoundary + boundaryLength, length - (nextBoundary + boundaryLength - data), boundary, boundaryLength));
     202            nextBoundary = static_cast<const char*>(memmem(nextBoundary + boundaryLength, length - (nextBoundary + boundaryLength - data), boundary.data(), boundaryLength));
    203203        }
    204204    } else if (mimeType && equalIgnoringASCIICase(mimeType->type, "application") && equalIgnoringASCIICase(mimeType->subtype, "x-www-form-urlencoded")) {
Note: See TracChangeset for help on using the changeset viewer.