[Webkit-unassigned] [Bug 211131] [WPE][GTK] Paths should be canonicalized before calling bwrap

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=211131

Michael Catanzaro <mcatanzaro at gnome.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #453003|commit-queue?               |commit-queue-
              Flags|                            |

--- Comment #8 from Michael Catanzaro <mcatanzaro at gnome.org> ---
Comment on attachment 453003
  --> https://bugs.webkit.org/attachment.cgi?id=453003
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=453003&action=review

OK, almost there...

> Source/WebKit/ChangeLog:3
> +        Canonicalize source paths passed to bindIfExists in BubbleWrap launcher

This line should match the title of the bug:

[WPE][GTK] Paths should be canonicalized before calling bwrap

> Source/WebKit/ChangeLog:6
> +        Reviewed by Michael Catanzaro and Adrian Perez.

Please don't fill this out yourself unless you've actually received r+. Just leave it saying NOBODY (OOPS!). Confusing, I know....

> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp:172
> +        const char* rpath = realPath.utf8().data();
> +        args.appendVector(Vector<CString>({ bindOption, rpath, rpath }));

This is a use-after-free again. The temporary utf8() is out of scope, so rpath is dangling here. You must own the memory somehow. Probably the easiest way is to change rpath to be a CString:

CString rpath = realPath.utf8();
args.appendVector(Vector<CString>({ bindOption, rpath.data(), rpath.data() }));

I think that would work.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220223/224a0171/attachment.htm>