[Webkit-unassigned] [Bug 85394] New: Web Inspector: crash in InspectorResourceAgent::didReceiveWebSocketFrame

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 2 11:22:43 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=85394

           Summary: Web Inspector: crash in
                    InspectorResourceAgent::didReceiveWebSocketFrame
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: Windows 7
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Web Inspector
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: marshall at chromium.org
                CC: timothy at apple.com, rik at webkit.org, keishi at webkit.org,
                    pmuellr at yahoo.com, joepeck at webkit.org,
                    pfeldman at chromium.org, yurys at chromium.org,
                    bweinstein at apple.com, apavlov at chromium.org,
                    loislo at chromium.org


WebKit revision 115687.
Chromium revision 134688

The frame.payload value passed to InspectorResourceAgent::didReceiveWebSocketFrame is not nul-terminated. didReceiveWebSocketFrame calls payload.substring(0, frame.payloadLength) which also returns a non-nul-terminated string. The non-nul-terminated string is then passed to StringImpl::create which calls strlen() resulting a buffer overrun.

Stack trace:

     libcef.dll!strlen(unsigned char * buf)  Line 81    Asm
     libcef.dll!WTF::StringImpl::create(const unsigned char * string)  Line 186 + 0x9 bytes    C++
     libcef.dll!WTF::String::String(const char * characters)  Line 84 + 0x3a bytes    C++
>	libcef.dll!WebCore::InspectorResourceAgent::didReceiveWebSocketFrame(unsigned long identifier, const WebCore::WebSocketFrame & frame)  Line 465	C++
     libcef.dll!WebCore::InspectorInstrumentation::didReceiveWebSocketFrameImpl(WebCore::InstrumentingAgents * instrumentingAgents, unsigned long identifier, const WebCore::WebSocketFrame & frame)  Line 995    C++
     libcef.dll!WebCore::InspectorInstrumentation::didReceiveWebSocketFrame(WebCore::Document * document, unsigned long identifier, const WebCore::WebSocketFrame & frame)  Line 1238 + 0x11 bytes    C++
     libcef.dll!WebCore::WebSocketChannel::processFrame()  Line 603 + 0x1a bytes    C++
     libcef.dll!WebCore::WebSocketChannel::processBuffer()  Line 489 + 0x8 bytes    C++
     libcef.dll!WebCore::WebSocketChannel::didReceiveSocketStreamData(WebCore::SocketStreamHandle * handle, const char * data, int len)  Line 330 + 0x8 bytes    C++
     libcef.dll!WebCore::SocketStreamHandleInternal::didReceiveData(WebKit::WebSocketStreamHandle * socketHandle, const WebKit::WebData & data)  Line 134 + 0x34 bytes    C++
     libcef.dll!webkit_glue::WebSocketStreamHandleImpl::Context::DidReceiveData(WebKit::WebSocketStreamHandle * web_handle, const char * data, int size)  Line 129 + 0x4b bytes    C++
     libcef.dll!IPCWebSocketStreamHandleBridge::OnReceivedData(const std::vector<char,std::allocator<char> > & data)  Line 127 + 0x32 bytes    C++
     libcef.dll!SocketStreamDispatcher::OnReceivedData(int socket_id, const std::vector<char,std::allocator<char> > & data)  Line 222    C++
     libcef.dll!DispatchToMethod<SocketStreamDispatcher,void (__thiscall SocketStreamDispatcher::*)(int,std::vector<char,std::allocator<char> > const &),int,std::vector<char,std::allocator<char> > >(SocketStreamDispatcher * obj, void (int, const std::vector<char,std::allocator<char> > &)* method, const Tuple2<int,std::vector<char,std::allocator<char> > > & arg)  Line 554 + 0x15 bytes    C++
     libcef.dll!SocketStreamMsg_ReceivedData::Dispatch<SocketStreamDispatcher,SocketStreamDispatcher,void (__thiscall SocketStreamDispatcher::*)(int,std::vector<char,std::allocator<char> > const &)>(const IPC::Message * msg, SocketStreamDispatcher * obj, SocketStreamDispatcher * sender, void (int, const std::vector<char,std::allocator<char> > &)* func)  Line 65 + 0x56 bytes    C++
     libcef.dll!SocketStreamDispatcher::OnMessageReceived(const IPC::Message & msg)  Line 188 + 0x3c bytes    C++
     libcef.dll!ChildThread::OnMessageReceived(const IPC::Message & msg)  Line 176 + 0x2d bytes    C++
     libcef.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message)  Line 247 + 0x19 bytes    C++
     libcef.dll!base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>::Run(IPC::ChannelProxy::Context * object, const IPC::Message & a1)  Line 188 + 0x21 bytes    C++
     libcef.dll!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context * const &,IPC::Message const &)>::MakeItSo(base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)> runnable, IPC::ChannelProxy::Context * const & a1, const IPC::Message & a2)  Line 897    C++
     libcef.dll!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &),void __cdecl(IPC::ChannelProxy::Context *,IPC::Message)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &)>::Run(base::internal::BindStateBase * base)  Line 1254 + 0x2a bytes    C++
     libcef.dll!base::Callback<void __cdecl(void)>::Run()  Line 272 + 0xe bytes    C++
     libcef.dll!MessageLoop::RunTask(const base::PendingTask & pending_task)  Line 464    C++
     libcef.dll!MessageLoop::DeferOrRunPendingTask(const base::PendingTask & pending_task)  Line 477    C++
     libcef.dll!MessageLoop::DoWork()  Line 651 + 0xc bytes    C++
     libcef.dll!base::MessagePumpForUI::DoRunLoop()  Line 224 + 0x1d bytes    C++
     libcef.dll!base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate * delegate, base::MessagePumpDispatcher * dispatcher)  Line 60 + 0xf bytes    C++
     libcef.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate)  Line 48 + 0x1c bytes    C++
     libcef.dll!MessageLoop::RunInternal()  Line 421 + 0x29 bytes    C++
     libcef.dll!MessageLoop::RunHandler()  Line 395    C++
     libcef.dll!MessageLoop::Run()  Line 301    C++
     libcef.dll!base::Thread::Run(MessageLoop * message_loop)  Line 129    C++
     libcef.dll!base::Thread::ThreadMain()  Line 163 + 0x16 bytes    C++
     libcef.dll!base::`anonymous namespace'::ThreadFunc(void * params)  Line 58 + 0xf bytes    C++

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list