[Webkit-unassigned] [Bug 27381] New: WinLauncher Crash with File URLs
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 17 11:20:23 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=27381
Summary: WinLauncher Crash with File URLs
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: bfulgham at webkit.org
Attempting to open a file URL in WinLauncher (e.g.,
C:\Cygwin\tmp\layout-test-results\results.html) will result in a crash in
FastAlloc. This is happening because it is trying to allocate an enormous
number of bytes (e.g., 174266262).
The problem is caused by this section of code:
BSTR urlBstr = ...
TCHAR fileURL[INTERNET_MAX_URL_LENGTH];
DWORD fileURLLength = sizeof(fileURL)/sizeof(fileURL[0]);
if (SUCCEEDED(UrlCreateFromPath(urlBStr, fileURL, &fileURLLength, 0)))
urlBStr = fileURL;
It is attempting to assign a TCHAR (generally a UNICODE string) to a BSTR.
While the compiler allows this, the BSTR looses the size value that should be
prepended to the string. Later on, in MarshallingHelpers.cpp we attempt this
code:
KURL MarshallingHelpers::BSTRToKURL(BSTR urlStr)
{
return KURL(KURL(), String(urlStr, SysStringLen(urlStr)));
}
The call to SysStringLen attempts to interpret the first four bytes of the
UNICODE value as a string length, which in the test case results in an size
that is larger than available memory.
Fix is attached.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list