[Webkit-unassigned] [Bug 207424] Crash in WebCore::ParsedContentType::parseContentType when parsing invalid MIME type

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 7 22:19:02 PST 2020


Rob Buis <rbuis at igalia.com> changed:

           What    |Removed                     |Added
                 CC|                            |rbuis at igalia.com

--- Comment #3 from Rob Buis <rbuis at igalia.com> ---
Comment on attachment 390160
  --> https://bugs.webkit.org/attachment.cgi?id=390160
Patch v1

View in context: https://bugs.webkit.org/attachment.cgi?id=390160&action=review

I think https://mimesniff.spec.whatwg.org/#parsing-a-mime-type specifies different behavior. Also I think implementing Darin's suggestion in this bug/patch is fine.

> Source/WebCore/platform/network/ParsedContentType.cpp:283
>              if (m_contentType[index++] == ';')

We probably want to implement https://mimesniff.spec.whatwg.org/#parsing-a-mime-type step 11.6 at this point. So at this point it should be safe to break in case of index >= contentTypeLength.

> Source/WebCore/platform/network/ParsedContentType.cpp:288
> +            return false;

See above, this is not what MIMESniff spec wants.

> Source/WebCore/platform/network/ParsedContentType.cpp:290
>          String parameterName = keyRange->toString();

This should take into account that keyRange can be null (for MIMESniff mode), since parameterName being empty is fine for that spec. I.e. I expect this to be valid text/plain;=wrong;text=value

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200208/7d06f8bb/attachment.htm>

More information about the webkit-unassigned mailing list