[Webkit-unassigned] [Bug 230206] New: WebKit2 crashes when initializing due to not-threadsafe call to _NSGetEnviron()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Sep 12 20:45:03 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=230206
Bug ID: 230206
Summary: WebKit2 crashes when initializing due to
not-threadsafe call to _NSGetEnviron()
Product: WebKit
Version: Safari Technology Preview
Hardware: iPhone / iPad
OS: iOS 14
Status: NEW
Severity: Major
Priority: P2
Component: WebKit2
Assignee: webkit-unassigned at lists.webkit.org
Reporter: jinhao.zhang at icloud.com
CC: kkinnunen at apple.com
When WebKit2 is to initialize, it calls _NSGetEnviron() to get all env variables.
The code is as below: ( in file: Options.cpp, method: void Options::initialize() )
#if PLATFORM(COCOA)
bool hasBadOptions = false;
for (char** envp = *_NSGetEnviron(); *envp; envp++) {
const char* env = *envp;
if (!strncmp("JSC_", env, 4)) {
if (!Options::setOption(&env[4])) {
dataLog("ERROR: invalid option: ", *envp, "\n");
hasBadOptions = true;
}
}
}
However, _NSGetEnviron is not thread-safe. If there is another thread calling putenv(),
there is a small chance that WebKit crashes due to invalid pointer sent to strncpm().
This is due to putenv() is using 'realloc' when necessary, which invalidates the old pointer values.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210913/412c6fe2/attachment-0001.htm>
More information about the webkit-unassigned
mailing list