[Webkit-unassigned] [Bug 89787] New: alignment crash in MIMESniffer

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=89787

           Summary: alignment crash in MIMESniffer
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jmason at rim.com
                CC: staikos at kde.org, yoli at rim.com


The compare function in MIMESniffing.cpp take a char* pointer, "data", and does:

274         if (info.flags & SkipWhiteSpace) {
275             size_t pos = 0;
276             skipWhiteSpace(data, pos, dataSize);
277             data += pos;
278             dataSize -= pos;
279         }

So if data starts 4-byte aligned but starts with a single space, it will be moved 1 byte ahead and no longer be aligned.

Then it calls "maskedCompare(info, data, info.size)", which does:

const uint32_t* data32 = reinterpret_cast_ptr<const uint32_t*>(data);

Which is invalid as data is not necessarily 4-byte aligned.

In a debug build, reinterpret_cast_ptr will crash with an assertion failure:

ASSERTION FAILED: isPointerTypeAlignmentOkay(reinterpret_cast<TypePtr>(ptr))
/home/jmason/dev/webkit/Source/WTF/wtf/StdLibExtras.h(101) : TypePtr
reinterpret_cast_ptr(const void*) [with TypePtr = const unsigned int*]

I think that the unaligned access is potentially serious here so it shouldn't just be covered up, but I have no idea how to fix it.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.