[Webkit-unassigned] [Bug 54091] New: [EFL] Possible crash of ewk_frame_contents_set

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=54091

           Summary: [EFL] Possible crash of ewk_frame_contents_set
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebKit EFL
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ryuan.choi at samsung.com


If ewk_frame_contents_set was called with negative value as contents_size(3rd parameter), Application will be crashed like below.
(I just called ewk_frame_contents_set(ewk_view_frame_main_get(app->browser), "hello", -1, NULL, NULL, NULL);)

#0  0x02181151 in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1  0x00a0c630 in WebCore::SharedBuffer::append(char const*, unsigned int) ()
   from /workspace/webkit/build2/WebKit/libewebkit.so.0
#2  0x00714973 in _ewk_frame_contents_set_internal(Ewk_Frame_Smart_Data*, char const*, unsigned int, char const*, char const*, char const*, char const*) () from /workspace/webkit/build2/WebKit/libewebkit.so.0

Because contents_size is size_t, Overflow occurred.

Although contents_size should be size_t, I believe that it should not be crashed.

I think that there are two options.
1) remove contents_size and use strlen(contents).
    It will change API.
2) choose strlen(contents) if contents_size is zero or bigger than strlen(contents).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.