[Webkit-unassigned] [Bug 86183] [BlackBerry] '; ' character is not handled correctly in Content-Disposition headers.

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=86183





--- Comment #3 from Leo Yang <leo.yang at torchmobile.com.cn>  2012-05-11 02:57:21 PST ---
(From update of attachment 141362)
View in context: https://bugs.webkit.org/attachment.cgi?id=141362&action=review

> Source/WebCore/platform/network/HTTPParsers.cpp:222
> +    for (int i = 0; i <= value.length(); i++) {
> +         // Try to find filename in strings which are separated by not-double-quoted ';'.
> +         if (value[i] == ';' || i == value.length()) {
> +             // Skip finding filename if there is not a '=' in the string.
> +             if (equalPos > semicolonPos) {
> +                size_t keyPos = semicolonPos + 1;
> +                String key = value.substring(keyPos, equalPos - keyPos).stripWhiteSpace();
> +                if (key.lower() == "filename") {
> +                    String filename = value.substring(equalPos + 1, i - equalPos -1).stripWhiteSpace();
> +                    if (filename[0] == '"' && filename[filename.length() -1] == '"')
> +                        filename = filename.substring(1, filename.length() -2);
> +                    return filename;
> +                }
> +             }
> +             semicolonPos = i;
> +         } else if (value[i] == '"') {
> +            // Skip double-quoted ';'.
> +            size_t secondQuotePos = value.find('"', i + 1);
> +            if (secondQuotePos != notFound)
> +                i = secondQuotePos;
> +         } else if (value[i] == '=' && equalPos <= semicolonPos) // equanlPos points to the first '=' when parsing filename.
> +            equalPos = i;

Seems array bounds overflow. You may access value[value.length()]

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.