[Webkit-unassigned] [Bug 86183] [BlackBerry] '; ' character is not handled correctly in Content-Disposition headers.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 11 02:58:16 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=86183
--- Comment #3 from Leo Yang <leo.yang at torchmobile.com.cn> 2012-05-11 02:57:21 PST ---
(From update of attachment 141362)
View in context: https://bugs.webkit.org/attachment.cgi?id=141362&action=review
> Source/WebCore/platform/network/HTTPParsers.cpp:222
> + for (int i = 0; i <= value.length(); i++) {
> + // Try to find filename in strings which are separated by not-double-quoted ';'.
> + if (value[i] == ';' || i == value.length()) {
> + // Skip finding filename if there is not a '=' in the string.
> + if (equalPos > semicolonPos) {
> + size_t keyPos = semicolonPos + 1;
> + String key = value.substring(keyPos, equalPos - keyPos).stripWhiteSpace();
> + if (key.lower() == "filename") {
> + String filename = value.substring(equalPos + 1, i - equalPos -1).stripWhiteSpace();
> + if (filename[0] == '"' && filename[filename.length() -1] == '"')
> + filename = filename.substring(1, filename.length() -2);
> + return filename;
> + }
> + }
> + semicolonPos = i;
> + } else if (value[i] == '"') {
> + // Skip double-quoted ';'.
> + size_t secondQuotePos = value.find('"', i + 1);
> + if (secondQuotePos != notFound)
> + i = secondQuotePos;
> + } else if (value[i] == '=' && equalPos <= semicolonPos) // equanlPos points to the first '=' when parsing filename.
> + equalPos = i;
Seems array bounds overflow. You may access value[value.length()]
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list