[Webkit-unassigned] [Bug 89787] New: alignment crash in MIMESniffer
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 22 14:53:16 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=89787
Summary: alignment crash in MIMESniffer
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Page Loading
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: jmason at rim.com
CC: staikos at kde.org, yoli at rim.com
The compare function in MIMESniffing.cpp take a char* pointer, "data", and does:
274 if (info.flags & SkipWhiteSpace) {
275 size_t pos = 0;
276 skipWhiteSpace(data, pos, dataSize);
277 data += pos;
278 dataSize -= pos;
279 }
So if data starts 4-byte aligned but starts with a single space, it will be moved 1 byte ahead and no longer be aligned.
Then it calls "maskedCompare(info, data, info.size)", which does:
const uint32_t* data32 = reinterpret_cast_ptr<const uint32_t*>(data);
Which is invalid as data is not necessarily 4-byte aligned.
In a debug build, reinterpret_cast_ptr will crash with an assertion failure:
ASSERTION FAILED: isPointerTypeAlignmentOkay(reinterpret_cast<TypePtr>(ptr))
/home/jmason/dev/webkit/Source/WTF/wtf/StdLibExtras.h(101) : TypePtr
reinterpret_cast_ptr(const void*) [with TypePtr = const unsigned int*]
I think that the unaligned access is potentially serious here so it shouldn't just be covered up, but I have no idea how to fix it.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list