<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Network process crashes decoding invalid cache entry on 32bit system"
   href="https://bugs.webkit.org/show_bug.cgi?id=145842#c4">Comment # 4</a>
              on <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Network process crashes decoding invalid cache entry on 32bit system"
   href="https://bugs.webkit.org/show_bug.cgi?id=145842">bug 145842</a>
              from <span class="vcard"><a class="email" href="mailto:sabouhallawa&#64;apple.com" title="Said Abou-Hallawa &lt;sabouhallawa&#64;apple.com&gt;"> <span class="fn">Said Abou-Hallawa</span></a>
</span></b>
        <pre>Comment on <span class=""><a href="attachment.cgi?id=254670&amp;action=diff" name="attach_254670" title="patch">attachment 254670</a> <a href="attachment.cgi?id=254670&amp;action=edit" title="patch">[details]</a></span>
patch

View in context: <a href="https://bugs.webkit.org/attachment.cgi?id=254670&amp;action=review">https://bugs.webkit.org/attachment.cgi?id=254670&amp;action=review</a>

<span class="quote">&gt; Source/WebKit2/NetworkProcess/cache/NetworkCacheDecoder.cpp:52
&gt; +    return currentOffset() + size &lt;= m_bufferSize;</span >

Does not the following code fix the overflow issue regardless whether it runs on 32 or 64bit?

    return size &lt;= m_bufferEnd - m_bufferPosition;

Otherwise I would suggest changing the last statement to be:

   return size &lt;= m_bufferSize - currentOffset();

Subtraction is always safer when dealing with large numbers but they have to have the same sign.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>