[Webkit-unassigned] [Bug 85394] New: Web Inspector: crash in InspectorResourceAgent::didReceiveWebSocketFrame
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 2 11:22:43 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=85394
Summary: Web Inspector: crash in
InspectorResourceAgent::didReceiveWebSocketFrame
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: Windows 7
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Web Inspector
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: marshall at chromium.org
CC: timothy at apple.com, rik at webkit.org, keishi at webkit.org,
pmuellr at yahoo.com, joepeck at webkit.org,
pfeldman at chromium.org, yurys at chromium.org,
bweinstein at apple.com, apavlov at chromium.org,
loislo at chromium.org
WebKit revision 115687.
Chromium revision 134688
The frame.payload value passed to InspectorResourceAgent::didReceiveWebSocketFrame is not nul-terminated. didReceiveWebSocketFrame calls payload.substring(0, frame.payloadLength) which also returns a non-nul-terminated string. The non-nul-terminated string is then passed to StringImpl::create which calls strlen() resulting a buffer overrun.
Stack trace:
libcef.dll!strlen(unsigned char * buf) Line 81 Asm
libcef.dll!WTF::StringImpl::create(const unsigned char * string) Line 186 + 0x9 bytes C++
libcef.dll!WTF::String::String(const char * characters) Line 84 + 0x3a bytes C++
> libcef.dll!WebCore::InspectorResourceAgent::didReceiveWebSocketFrame(unsigned long identifier, const WebCore::WebSocketFrame & frame) Line 465 C++
libcef.dll!WebCore::InspectorInstrumentation::didReceiveWebSocketFrameImpl(WebCore::InstrumentingAgents * instrumentingAgents, unsigned long identifier, const WebCore::WebSocketFrame & frame) Line 995 C++
libcef.dll!WebCore::InspectorInstrumentation::didReceiveWebSocketFrame(WebCore::Document * document, unsigned long identifier, const WebCore::WebSocketFrame & frame) Line 1238 + 0x11 bytes C++
libcef.dll!WebCore::WebSocketChannel::processFrame() Line 603 + 0x1a bytes C++
libcef.dll!WebCore::WebSocketChannel::processBuffer() Line 489 + 0x8 bytes C++
libcef.dll!WebCore::WebSocketChannel::didReceiveSocketStreamData(WebCore::SocketStreamHandle * handle, const char * data, int len) Line 330 + 0x8 bytes C++
libcef.dll!WebCore::SocketStreamHandleInternal::didReceiveData(WebKit::WebSocketStreamHandle * socketHandle, const WebKit::WebData & data) Line 134 + 0x34 bytes C++
libcef.dll!webkit_glue::WebSocketStreamHandleImpl::Context::DidReceiveData(WebKit::WebSocketStreamHandle * web_handle, const char * data, int size) Line 129 + 0x4b bytes C++
libcef.dll!IPCWebSocketStreamHandleBridge::OnReceivedData(const std::vector<char,std::allocator<char> > & data) Line 127 + 0x32 bytes C++
libcef.dll!SocketStreamDispatcher::OnReceivedData(int socket_id, const std::vector<char,std::allocator<char> > & data) Line 222 C++
libcef.dll!DispatchToMethod<SocketStreamDispatcher,void (__thiscall SocketStreamDispatcher::*)(int,std::vector<char,std::allocator<char> > const &),int,std::vector<char,std::allocator<char> > >(SocketStreamDispatcher * obj, void (int, const std::vector<char,std::allocator<char> > &)* method, const Tuple2<int,std::vector<char,std::allocator<char> > > & arg) Line 554 + 0x15 bytes C++
libcef.dll!SocketStreamMsg_ReceivedData::Dispatch<SocketStreamDispatcher,SocketStreamDispatcher,void (__thiscall SocketStreamDispatcher::*)(int,std::vector<char,std::allocator<char> > const &)>(const IPC::Message * msg, SocketStreamDispatcher * obj, SocketStreamDispatcher * sender, void (int, const std::vector<char,std::allocator<char> > &)* func) Line 65 + 0x56 bytes C++
libcef.dll!SocketStreamDispatcher::OnMessageReceived(const IPC::Message & msg) Line 188 + 0x3c bytes C++
libcef.dll!ChildThread::OnMessageReceived(const IPC::Message & msg) Line 176 + 0x2d bytes C++
libcef.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message) Line 247 + 0x19 bytes C++
libcef.dll!base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>::Run(IPC::ChannelProxy::Context * object, const IPC::Message & a1) Line 188 + 0x21 bytes C++
libcef.dll!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context * const &,IPC::Message const &)>::MakeItSo(base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)> runnable, IPC::ChannelProxy::Context * const & a1, const IPC::Message & a2) Line 897 C++
libcef.dll!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &),void __cdecl(IPC::ChannelProxy::Context *,IPC::Message)>,void __cdecl(IPC::ChannelProxy::Context *,IPC::Message const &)>::Run(base::internal::BindStateBase * base) Line 1254 + 0x2a bytes C++
libcef.dll!base::Callback<void __cdecl(void)>::Run() Line 272 + 0xe bytes C++
libcef.dll!MessageLoop::RunTask(const base::PendingTask & pending_task) Line 464 C++
libcef.dll!MessageLoop::DeferOrRunPendingTask(const base::PendingTask & pending_task) Line 477 C++
libcef.dll!MessageLoop::DoWork() Line 651 + 0xc bytes C++
libcef.dll!base::MessagePumpForUI::DoRunLoop() Line 224 + 0x1d bytes C++
libcef.dll!base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate * delegate, base::MessagePumpDispatcher * dispatcher) Line 60 + 0xf bytes C++
libcef.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 48 + 0x1c bytes C++
libcef.dll!MessageLoop::RunInternal() Line 421 + 0x29 bytes C++
libcef.dll!MessageLoop::RunHandler() Line 395 C++
libcef.dll!MessageLoop::Run() Line 301 C++
libcef.dll!base::Thread::Run(MessageLoop * message_loop) Line 129 C++
libcef.dll!base::Thread::ThreadMain() Line 163 + 0x16 bytes C++
libcef.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 58 + 0xf bytes C++
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list