[webkit-changes] [WebKit/WebKit] 8f96cc: Use-after-free in FormDataConsumer::consume
youennf
noreply at github.com
Wed Oct 30 23:25:20 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 8f96cc81ef906ace167b247fe77a20461e9dc1f4
https://github.com/WebKit/WebKit/commit/8f96cc81ef906ace167b247fe77a20461e9dc1f4
Author: Youenn Fablet <youenn at apple.com>
Date: 2024-10-30 (Wed, 30 Oct 2024)
Changed paths:
A LayoutTests/fetch/fetch-empty-blob-crash-expected.txt
A LayoutTests/fetch/fetch-empty-blob-crash.html
M Source/WebCore/Modules/fetch/FormDataConsumer.cpp
Log Message:
-----------
Use-after-free in FormDataConsumer::consume
rdar://134411748
Reviewed by Chris Dumez.
FormDataConsumer is notifying of end of load with an empty span.
Form datas can be using blobs as element, the blobs having zero data.
In this case, FormDataConsumer will send an empty span for the zero data and then an empty span for the end of load.
This confuses FetchBodyConsumer which then triggers a UAF.
To prevent this, we update FormDataConsumer to execute the callback when receiving data only if data is not empty.
An empty span is solely used to convey the end of the load.
* LayoutTests/fetch/fetch-empty-blob-crash-expected.txt: Added.
* LayoutTests/fetch/fetch-empty-blob-crash.html: Added.
* Source/WebCore/Modules/fetch/FormDataConsumer.cpp:
(WebCore::FormDataConsumer::consume):
Originally-landed-as: 280938.254 at safari-7619-branch (76167250cbca). rdar://138929706
Canonical link: https://commits.webkit.org/285945@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list