[Webkit-unassigned] [Bug 46695] New: Invalid pointer access & incomplete memcmp in setUpIterator

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Sep 27 21:16:53 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=46695

           Summary: Invalid pointer access & incomplete memcmp in
                    setUpIterator
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows XP
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: matthew.figg at hotmail.com


The setUpIterator function in WebCore/platform/text/qt/TextBreakIteratorQt.cpp:53 has two problems:

    TextBreakIterator* setUpIterator(TextBreakIterator& iterator, QTextBoundaryFinder::BoundaryType type, const UChar* string, int length)
    {
        if (!string || !length)
            return 0;

        if (iterator.isValid() && type == iterator.type() && length == iterator.length
            && memcmp(string, iterator.string, length) == 0) {
            iterator.toStart();
            return &iterator;
        }

        iterator = TextBreakIterator(type, string, length);

        return &iterator;
    }

1) The memcmp doesn't compare the entire string.  It should instead be memcmp(string, iterator.string, length * sizeof(UChar))

This is easily proven by loading the following webpage.  The iterator is reused for all inputs:

<html>
  <body>
    <input value="search0"/>
    <input value="search1"/>
    <input value="search2"/>
    <input value="search3"/>
    <input value="search4"/>
    <input value="search5"/>
    <input value="search6"/>
    <input value="search7"/>
    <input value="search8"/>
    <input value="search9"/>
  </body>
</html>

2) The iterator.string is sometimes freed between calls.  If the iterator is valid, the type is the same and the length is the same, it ends up comparing the string to random memory and potentially (if the random memory matches) returning an iterator with the invalid string pointer.  I'm not sure if this could cause larger issues further downstream?

This bug was introduced when fixing https://bugs.webkit.org/show_bug.cgi?id=39958 - See http://trac.webkit.org/changeset/60847/trunk/WebCore/platform/text/qt/TextBreakIteratorQt.cpp

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list