[Webkit-unassigned] [Bug 145842] Network process crashes decoding invalid cache entry on 32bit system

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 10 14:15:37 PDT 2015


--- Comment #4 from Said Abou-Hallawa <sabouhallawa at apple.com> ---
Comment on attachment 254670
  --> https://bugs.webkit.org/attachment.cgi?id=254670

View in context: https://bugs.webkit.org/attachment.cgi?id=254670&action=review

> Source/WebKit2/NetworkProcess/cache/NetworkCacheDecoder.cpp:52
> +    return currentOffset() + size <= m_bufferSize;

Does not the following code fix the overflow issue regardless whether it runs on 32 or 64bit?

    return size <= m_bufferEnd - m_bufferPosition;

Otherwise I would suggest changing the last statement to be:

   return size <= m_bufferSize - currentOffset();

Subtraction is always safer when dealing with large numbers but they have to have the same sign.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150610/91e208b6/attachment-0001.html>

More information about the webkit-unassigned mailing list