<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Network process crashes decoding invalid cache entry on 32bit system"
href="https://bugs.webkit.org/show_bug.cgi?id=145842#c4">Comment # 4</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Network process crashes decoding invalid cache entry on 32bit system"
href="https://bugs.webkit.org/show_bug.cgi?id=145842">bug 145842</a>
from <span class="vcard"><a class="email" href="mailto:sabouhallawa@apple.com" title="Said Abou-Hallawa <sabouhallawa@apple.com>"> <span class="fn">Said Abou-Hallawa</span></a>
</span></b>
<pre>Comment on <span class=""><a href="attachment.cgi?id=254670&action=diff" name="attach_254670" title="patch">attachment 254670</a> <a href="attachment.cgi?id=254670&action=edit" title="patch">[details]</a></span>
patch
View in context: <a href="https://bugs.webkit.org/attachment.cgi?id=254670&action=review">https://bugs.webkit.org/attachment.cgi?id=254670&action=review</a>
<span class="quote">> Source/WebKit2/NetworkProcess/cache/NetworkCacheDecoder.cpp:52
> + return currentOffset() + size <= m_bufferSize;</span >
Does not the following code fix the overflow issue regardless whether it runs on 32 or 64bit?
return size <= m_bufferEnd - m_bufferPosition;
Otherwise I would suggest changing the last statement to be:
return size <= m_bufferSize - currentOffset();
Subtraction is always safer when dealing with large numbers but they have to have the same sign.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>