[Webkit-unassigned] [Bug 52791] New: Buffer overrun in WebCore::InspectorBasicValue::writeJSON

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=52791

           Summary: Buffer overrun in
                    WebCore::InspectorBasicValue::writeJSON
           Product: WebKit
           Version: 525.x (Safari 3.2)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P1
         Component: Web Inspector
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: m.malecki at samsung.com



Mikołaj Małecki <m.malecki at samsung.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #79562|                            |review?, commit-queue?
               Flag|                            |


Created an attachment (id=79562)
 --> (https://bugs.webkit.org/attachment.cgi?id=79562&action=review)
Patch with fix for InspectorBasicValue::writeJSON

WebCore::InspectorBasicValue::writeJSON when type is Number doesn't check whether there is enough room in the string buffer to write the number in decimal format. The DecimalNumber::toStringDecimal(), despite gets the buffer length, doesn't check it when writing to the buffer (the construction of the function doesn't even give such possibility). In result, when getting contents of the global scope and the value of MIN_VALUE, which is 5e-324, this function tries to write 324 zeros in a 96 byte buffer.

With this fix, .::writeJSON calls provided functions that predict required room for given number, and select either decimal format or exponential format, or eventually "NaN" if there's not enough room in the string buffer.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.