[Webkit-unassigned] [Bug 198320] [curl] Heap corruption in ~CurlResponse

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 24 04:55:09 PDT 2019


--- Comment #4 from Takashi Komori <Takashi.Komori at sony.com> ---
## How CurlRequest crash.

-- Main Thread ------------------
1) URL object url is generated by isolatedCopy in CurlRequest::start().
2) CurlRequst::invokeDidReceiveResponseForFile is called.
3) url is copied to m_response.url
4) Woker task is generated.
5) return to CurlRequest::start()
6) At end of CurlRequest::start() url is destructed generated in (1

-- Worker Thread ------------------
a) Start CurlRequest::invokeDidReceiveResponse() as a worker thread.
b) response is copied by isolatedCopy().
c) CurlResponse::isolatedCopy() copies url by using URL::isolatedCopy().
d) URL::isolatedCopy first copies itself to result.
e) result.m_string is overwritten in URL::isolatedCopy().

Step 1) 3) d) increase reference counter of the same string object.
Step 6) e) decrease the reference counter.

Because StringImpl::deref doesn't change m_refCount atomically, in this sequence the counter becomes 0 by timing and wrongly destroy the String object and the destroied object causes the crashes.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190724/878aeb1a/attachment.html>

More information about the webkit-unassigned mailing list