[Webkit-unassigned] [Bug 53617] New: uint64_t to size_t conversion can lead to unexpected behavior in CoreIPC
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Feb 2 12:17:20 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=53617
Summary: uint64_t to size_t conversion can lead to unexpected
behavior in CoreIPC
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Keywords: NeedsRadar
Severity: Normal
Priority: P2
Component: WebKit2
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: aroben at apple.com
CC: darin at apple.com, andersca at apple.com
If a function like ArgumentDecoder::decodeBytes [1] decodes a size greater than std::numeric_limits<size_t>::max(), we'll end up calling buffer.resize(0) and then trying to memcpy 0 bytes into the null buffer. This is very strange behavior, and probably unexpected.
It would likely be better to detect the overflow and just bail out.
1. http://trac.webkit.org/browser/trunk/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp?rev=77378#L95
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list