[Webkit-unassigned] [Bug 93887] New: QNetworkReplyHandler checks for wrong values with m_reply->bytesAvailable() causing qBadAlloc
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Aug 13 13:15:38 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=93887
Summary: QNetworkReplyHandler checks for wrong values with
m_reply->bytesAvailable() causing qBadAlloc
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Critical
Priority: P2
Component: WebKit Qt
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: tdeng at cisco.com
in functions void QNetworkReplyWrapper::didReceiveReadyRead() and void QNetworkReplyWrapper::emitMetaDataChanged(), the code checks "if(m_reply->bytesAvailable()){do something}". However, the function bytesAvailable returns "something", or -1, not 0 unless it is actually 0. So these two functions in QNetworkReplyWrapper rarely fails the check, even though it should fail if it is a -1. In such situations with the value being -1, it continues down the path to void QNetworkReplyHandler::forwardData(), and in this function, it passes the -1 value to m_replyWrapper->reply()->read(-1). When this happens, QByteArray QIODevice::read(qint64 maxSize) gets -1 as a param, and tries to allocate a qint64 of 0x7fffffff in QByteArray::resize(). This leads to a qBadAlloc() and crash.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list