[Webkit-unassigned] [Bug 238797] [GTK][WPE] RemoteInspector add support for IPv6
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 6 14:33:09 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=238797
--- Comment #10 from Michael Catanzaro <mcatanzaro at gnome.org> ---
Comment on attachment 456686
--> https://bugs.webkit.org/attachment.cgi?id=456686
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=456686&action=review
>>> Source/WebKit/UIProcess/API/glib/WebKitInitialize.cpp:71
>>> + }
>>
>> Careful: if for some reason the colon is the first or second character in the string, then you'll have memory corruption here. Got to make sure it's safe before dereferencing *(portPtr - 2)
>
> This case is actually covered already.
>
> char* portPtr = g_strrstr(inspectorAddress.get(), ":");
> if portPtr is nullptr we return early, so we know there's ':'
>
> *portPtr = '\0';
> portPtr++;
> we change ':' by '\0' and move to the next character
>
> auto port = g_ascii_strtoull(portPtr, nullptr, 10);
> if portPtr at this point points to '\0' strtoull fails, so we return early
>
> so after this portPtr - 2 is always the position before the ':' that is now '\0'
Say the input string is ":1080". You replace the ':' with NUL '\0' and advance portPtr to point to the 1 in 1080. Next, you check *(portPtr -2) == ']'. Here, portPtr -1 is the '\0' and portPtr - 2 is a buffer underflow.
Am I doing something wrong? You're saying (portPtr - 2) is the '\0', but it looks like that's actually (portPtr - 1).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220406/bd7bfea2/attachment.htm>
More information about the webkit-unassigned
mailing list