[Webkit-unassigned] [Bug 199063] New: WebURLSchemeHandlerProxy::loadSynchronously get wild pointer

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jun 20 01:20:57 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=199063

            Bug ID: 199063
           Summary: WebURLSchemeHandlerProxy::loadSynchronously get wild
                    pointer
           Product: WebKit
           Version: Other
          Hardware: iPhone / iPad
                OS: iOS 12
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ljin.zq at gmail.com

The problem code is the following:

void WebURLSchemeHandlerProxy::loadSynchronously(ResourceLoadIdentifier loadIdentifier, const ResourceRequest& request, ResourceResponse& response, ResourceError& error, Vector<char>& data)
{
    IPC::DataReference dataReference;
    if (!m_webPage.sendSync(Messages::WebPageProxy::LoadSynchronousURLSchemeTask(URLSchemeTaskParameters { m_identifier, loadIdentifier, request }), Messages::WebPageProxy::LoadSynchronousURLSchemeTask::Reply(response, error, dataReference))) {
        error = failedCustomProtocolSyncLoad(request);
        return;
    }

    data.resize(dataReference.size());
    memcpy(data.data(), dataReference.data(), dataReference.size());
}


The “IPC::DataReference dataReference;” just "reference" data from sendSync but not "copy" it. 
When the sendSync function pop stack, the data will be dealloc.  
So the dataReference get a  wild pointer.


Steps:

1、 Setup custom Scheme
    UCWKURLSchemeHandler *handler = [[UCWKURLSchemeHandler alloc] init];   
    [configuration setURLSchemeHandler:handler forURLScheme:@"uc"];

2、enable "Malloc Scribble"  debug Environment

3、set breakpoint at WebURLSchemeHandlerProxy::loadSynchronously  at the line  “ data.resize(dataReference.size());”

4、launch the  iOS Simultaor 

5、Send a  *Sync* XMLHttpRequest with the custom scheme

Result:
check the value of “dataReference”

You can see my Screen Shot.


This is the same result at MacOS Version

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190620/1c0ac030/attachment.html>

More information about the webkit-unassigned mailing list