[Webkit-unassigned] [Bug 207424] New: Crash in WebCore::ParsedContentType::parseContentType when parsing invalid MIME type

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 7 18:43:17 PST 2020 

https://bugs.webkit.org/show_bug.cgi?id=207424

            Bug ID: 207424
           Summary: Crash in WebCore::ParsedContentType::parseContentType
                    when parsing invalid MIME type
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ddkilzer at webkit.org
                CC: beidson at apple.com, darin at apple.com, rwlbuis at gmail.com
        Depends on: 180526

Crash in WebCore::ParsedContentType::parseContentType when parsing invalid MIME type.

This will trigger the crash:

    EXPECT_FALSE(isValidContentType("text/plain;text=value;=", Mode::MimeSniff));

When added to TestWebKitAPI.ParsedContentType.MimeSniff:

$ ./Tools/Scripts/run-api-tests --debug --no-build --no-timeout --verbose TestWebKitAPI.ParsedContentType.MimeSniff


The crash looks like this:

        ASSERTION FAILED: initialized()
        /var/build/Debug/usr/local/include/wtf/Optional.h(519) : T *WTF::Optional<WTF::StringView>::operator->() [T = WTF::StringView]
        1   0x10d790f59 WTFCrash
        2   0x12415d949 WTF::Optional<WTF::StringView>::operator->()
        3   0x12415d071 WebCore::ParsedContentType::parseContentType(WebCore::Mode)
        4   0x12415e055 WebCore::ParsedContentType::create(WTF::String const&, WebCore::Mode)
        5   0x12415e17f WebCore::isValidContentType(WTF::String const&, WebCore::Mode)
        6   0x10b950f60 TestWebKitAPI::ParsedContentType_MimeSniff_Test::TestBody()
        7   0x10bd669ce void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*)
        8   0x10bd363ab void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*)
        9   0x10bd362d6 testing::Test::Run()
        10  0x10bd374e5 testing::TestInfo::Run()
        11  0x10bd383cf testing::TestCase::Run()
        12  0x10bd44004 testing::internal::UnitTestImpl::RunAllTests()
        13  0x10bd6ab4e bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*)
        14  0x10bd43adb bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*)
        15  0x10bd439b0 testing::UnitTest::Run()
        16  0x10bb94781 RUN_ALL_TESTS()
        17  0x10bb94711 TestWebKitAPI::TestsController::run(int, char**)
        18  0x10bd02e3e main
        19  0x7fff6b5803d5 start
        20  0x2

We've also seen this crash in the field:

Exception Type:  EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000001c5eda1c4
Termination Signal: Trace/BPT trap: 5
Termination Reason: Namespace SIGNAL, Code 0x5
Terminating Process: exc handler [1056]
Triggered by Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   WebCore                             0x00000001c5eda1c4 WebCore::ParsedContentType::parseContentType(WebCore::Mode) + 4224 (ParsedContentType.cpp:0)
1   WebCore                             0x00000001c5ed95bc WebCore::ParsedContentType::parseContentType(WebCore::Mode) + 1144 (StringImpl.h:1101)
2   WebCore                             0x00000001c5ed5134 WebCore::ParsedContentType::create(WTF::String const&, WebCore::Mode) + 160 (ParsedContentType.cpp:329)
3   WebCore                             0x00000001c6408cc8 WebCore::XMLHttpRequest::responseMIMEType() const + 272 (XMLHttpRequest.cpp:873)
4   WebCore                             0x00000001c640d1ac WebCore::XMLHttpRequest::createDecoder() const + 168 (XMLHttpRequest.cpp:882)
5   WebCore                             0x00000001c640d5ec WebCore::XMLHttpRequest::didReceiveData(char const*, int) + 312 (XMLHttpRequest.cpp:1059)
6   WebCore                             0x00000001c5c21f98 WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) + 364 (CachedRawResource.cpp:136)
7   WebCore                             0x00000001c5c21ca0 WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) + 456 (CachedRawResource.cpp:73)
8   WebCore                             0x00000001c5bf69b8 WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) + 436 (SubresourceLoader.cpp:519)
9   WebCore                             0x00000001c5bf67ec WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) + 104 (SubresourceLoader.cpp:487)
10  WebKit                              0x00000001c45d51c0 WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&, long long) + 280 (WebResourceLoader.cpp:212)
11  WebKit                              0x00000001c472c28c void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) + 116 (HandleMessage.h:41)
12  WebKit                              0x00000001c472be44 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) + 268 (WebResourceLoaderMessageReceiver.cpp:62)
13  WebKit                              0x00000001c45ceaec WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 624 (NetworkProcessConnection.cpp:86)
14  WebKit                              0x00000001c41c10b8 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 208 (Connection.cpp:1070)
15  WebKit                              0x00000001c41c1388 IPC::Connection::dispatchOneIncomingMessage() + 196 (Connection.cpp:1139)
16  JavaScriptCore                      0x00000001cc3fbb28 WTF::RunLoop::performWork() + 580 (Function.h:84)
17  JavaScriptCore                      0x00000001cc3fbcd0 WTF::RunLoop::performWork(void*) + 40 (RunLoopCF.cpp:38)
18  CoreFoundation                      0x00000001bca1eca0 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28
19  CoreFoundation                      0x00000001bca1ebf4 __CFRunLoopDoSource0 + 84
20  CoreFoundation                      0x00000001bca1e344 __CFRunLoopDoSources0 + 196
21  CoreFoundation                      0x00000001bca190e4 __CFRunLoopRun + 796
22  CoreFoundation                      0x00000001bca18aa0 CFRunLoopRunSpecific + 480
23  Foundation                          0x00000001bcd5eb58 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 232
24  Foundation                          0x00000001bcd99a1c -[NSRunLoop(NSRunLoop) run] + 92
25  libxpc.dylib                        0x00000001bc6a2700 _xpc_objc_main + 308
26  libxpc.dylib                        0x00000001bc6a51a4 xpc_main + 152
27  WebKit                              0x00000001c4328b3c WebKit::XPCServiceMain(int, char const**) + 384 (XPCServiceMain.mm:160)
28  libdyld.dylib                       0x00000001bc8941ec start + 4


Referenced Bugs:

https://bugs.webkit.org/show_bug.cgi?id=180526
[Bug 180526] Update MIME type parser
-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200208/2b8dd334/attachment.htm>

More information about the webkit-unassigned mailing list