[Webkit-unassigned] [Bug 93887] New: QNetworkReplyHandler checks for wrong values with m_reply->bytesAvailable() causing qBadAlloc

Mon Aug 13 13:15:38 PDT 2012

https://bugs.webkit.org/show_bug.cgi?id=93887

           Summary: QNetworkReplyHandler checks for wrong values with
                    m_reply->bytesAvailable() causing qBadAlloc
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Critical
          Priority: P2
         Component: WebKit Qt
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tdeng at cisco.com

in functions void QNetworkReplyWrapper::didReceiveReadyRead() and void QNetworkReplyWrapper::emitMetaDataChanged(), the code checks "if(m_reply->bytesAvailable()){do something}". However, the function bytesAvailable returns "something", or -1, not 0 unless it is actually 0. So these two functions in QNetworkReplyWrapper rarely fails the check, even though it should fail if it is a -1. In such situations with the value being -1, it continues down the path to void QNetworkReplyHandler::forwardData(), and in this function, it passes the -1 value to m_replyWrapper->reply()->read(-1). When this happens, QByteArray QIODevice::read(qint64 maxSize) gets -1 as a param, and tries to allocate a qint64 of 0x7fffffff in QByteArray::resize(). This leads to a qBadAlloc() and crash.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.