[Webkit-unassigned] [Bug 274964] [WPE][GTK] g_variant_builder_add_value: assertion 'GVSB(builder)->offset < GVSB(builder)->max_items' failed when encoding session state
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 31 08:12:13 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=274964
--- Comment #4 from Michael Catanzaro <mcatanzaro at redhat.com> ---
So the crash occurs here when encoding the HTTPBody object, specifically the file data:
static inline void encodeHTTPBody(GVariantBuilder* sessionBuilder, const HTTPBody& httpBody)
{
g_variant_builder_open(sessionBuilder, G_VARIANT_TYPE("(sa" HTTP_BODY_ELEMENT_TYPE_STRING_V1 ")"));
g_variant_builder_add(sessionBuilder, "s", httpBody.contentType.utf8().data());
g_variant_builder_open(sessionBuilder, G_VARIANT_TYPE("a" HTTP_BODY_ELEMENT_TYPE_STRING_V1));
g_variant_builder_open(sessionBuilder, G_VARIANT_TYPE(HTTP_BODY_ELEMENT_TYPE_STRING_V1));
for (const auto& element : httpBody.elements) {
g_variant_builder_add(sessionBuilder, "u", toHTMLBodyElementType(element.data.index())); // <-- crash is here
Here we are just encoding the integer index corresponding to the HTMLBodyElementType that we're about to encode. In this case, the index is 1, indicating HTMLBodyElementType::File. The variant element.data contains WebKit::HTTPBody::Element::FileData corresponding to the Bugzilla attachment; in this case, "/run/user/1000/doc/bf7e311e/Empty Document".
But that doesn't actually matter. The crash is occurring because the state of the GVariantBuilder is determined to be already messed up at the beginning of the call to g_variant_builder_add(). Playing with gdb, I found the offset is 7 and max_items is 7. We crash since 7 is not less than 7. Something went wrong in the previous call to either g_variant_builder_add() or g_variant_builder_open().
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240531/214d80e8/attachment.htm>
More information about the webkit-unassigned
mailing list