Commit 18ade61c authored by jcivelli@chromium.org's avatar jcivelli@chromium.org

Calling WebCore::SharedBuffer::append(data, 0) on a shared buffer when

its current position is at a segment boundary (4096) ends up adding an
unitialized segment (with uninitialized memory) to the SharedBuffer.
https://bugs.webkit.org/show_bug.cgi?id=99000

Reviewed by Adam Barth.

Source/WebCore:

* platform/SharedBuffer.cpp:
(WebCore::SharedBuffer::append):

LayoutTests:

* mhtml/shared_buffer_bug-expected.txt: Added.
* mhtml/shared_buffer_bug.mht: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131315 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent ae434975
2012-10-15 Jay Civelli <jcivelli@chromium.org>
Calling WebCore::SharedBuffer::append(data, 0) on a shared buffer when
its current position is at a segment boundary (4096) ends up adding an
unitialized segment (with uninitialized memory) to the SharedBuffer.
https://bugs.webkit.org/show_bug.cgi?id=99000
Reviewed by Adam Barth.
* mhtml/shared_buffer_bug-expected.txt: Added.
* mhtml/shared_buffer_bug.mht: Added.
2012-10-15 Luke Macpherson <macpherson@chromium.org>
Make CSS variable names case-insensitive.
......
This is a test for a bug in SharedBuffer.
From: <Saved by WebKit>
Subject:
Date: Sat, 12 Oct 2012 10:15:17 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
type="text/html";
boundary="----=_NextPart_000_7387_D22A981E.ADD1887E"
------=_NextPart_000_7387_D22A981E.ADD1887E
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
Content-Location: http://localhost/sharred_buffer_bug.html
<html><head><meta charset=3D"ISO-8859-1">
<link rel=3D"stylesheet" type=3D"text/css" href=3D"http://localhost/resourc=
es/style.css">
<script>
if (window.testRunner) {
testRunner.dumpAsText();
}
</script>
</head>
<body>
This is a test for a bug in SharedBuffer.
<h1>This text should not be shown</h1>
</body></html>
------=_NextPart_000_7387_D22A981E.ADD1887E
Content-Type: text/css
Content-Transfer-Encoding: quoted-printable
Content-Location: http://localhost/resources/style.css
/*
The point is to reach a size of n * 4096 bytes (with n > 1)
followed by a blank line to trigger a bug in SharredBuffer.
Let's go:
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
012345678901234567890123456789012345678901234567890123456789
*/
h1 { visibility: hidden; }
------=_NextPart_000_7387_D22A981E.ADD1887E--
2012-10-15 Jay Civelli <jcivelli@chromium.org>
Calling WebCore::SharedBuffer::append(data, 0) on a shared buffer when
its current position is at a segment boundary (4096) ends up adding an
unitialized segment (with uninitialized memory) to the SharedBuffer.
https://bugs.webkit.org/show_bug.cgi?id=99000
Reviewed by Adam Barth.
* platform/SharedBuffer.cpp:
(WebCore::SharedBuffer::append):
2012-10-15 Luke Macpherson <macpherson@chromium.org>
Make CSS variable names case-insensitive.
......
......@@ -148,6 +148,8 @@ void SharedBuffer::append(SharedBuffer* data)
void SharedBuffer::append(const char* data, unsigned length)
{
ASSERT(!m_purgeableBuffer);
if (!length)
return;
maybeTransferPlatformData();
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment