Calling WebCore::SharedBuffer::append(data, 0) on a shared buffer when

its current position is at a segment boundary (4096) ends up adding an unitialized segment (with uninitialized memory) to the SharedBuffer. https://bugs.webkit.org/show_bug.cgi?id=99000 Reviewed by Adam Barth. Source/WebCore: * platform/SharedBuffer.cpp: (WebCore::SharedBuffer::append): LayoutTests: * mhtml/shared_buffer_bug-expected.txt: Added. * mhtml/shared_buffer_bug.mht: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131315 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Calling WebCore::SharedBuffer::append(data, 0) on a shared buffer when
its current position is at a segment boundary (4096) ends up adding an unitialized segment (with uninitialized memory) to the SharedBuffer. https://bugs.webkit.org/show_bug.cgi?id=99000 Reviewed by Adam Barth. Source/WebCore: * platform/SharedBuffer.cpp: (WebCore::SharedBuffer::append): LayoutTests: * mhtml/shared_buffer_bug-expected.txt: Added. * mhtml/shared_buffer_bug.mht: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131315 268f45cc-cd09-0410-ab3c-d52691b4dbfc
18ade61c · jcivelli@chromium.org · ae434975 · 18ade61c · 18ade61c · 18ade61c
Commit 18ade61c authored Oct 15, 2012 by jcivelli@chromium.org
5 changed files
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
+2012-10-15  Jay Civelli  <jcivelli@chromium.org>
+        Calling WebCore::SharedBuffer::append(data, 0) on a shared buffer when
+        its current position is at a segment boundary (4096) ends up adding an
+        unitialized segment (with uninitialized memory) to the SharedBuffer.
+        https://bugs.webkit.org/show_bug.cgi?id=99000
+        Reviewed by Adam Barth.
+        * mhtml/shared_buffer_bug-expected.txt: Added.
+        * mhtml/shared_buffer_bug.mht: Added.
 2012-10-15  Luke Macpherson   <macpherson@chromium.org>
        Make CSS variable names case-insensitive.

--- a/LayoutTests/mhtml/shared_buffer_bug-expected.txt
+++ b/LayoutTests/mhtml/shared_buffer_bug-expected.txt
+This is a test for a bug in SharedBuffer.
--- a/LayoutTests/mhtml/shared_buffer_bug.mht
+++ b/LayoutTests/mhtml/shared_buffer_bug.mht
+From: <Saved by WebKit>
+Subject:
+Date: Sat, 12 Oct 2012 10:15:17 -0700
+MIME-Version: 1.0
+Content-Type: multipart/related;
+	type="text/html";
+	boundary="----=_NextPart_000_7387_D22A981E.ADD1887E"
+------=_NextPart_000_7387_D22A981E.ADD1887E
+Content-Type: text/html
+Content-Transfer-Encoding: quoted-printable
+Content-Location: http://localhost/sharred_buffer_bug.html
+<html><head><meta charset=3D"ISO-8859-1">
+<link rel=3D"stylesheet" type=3D"text/css" href=3D"http://localhost/resourc=
+es/style.css">
+<script>
+if (window.testRunner) {
+  testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+  This is a test for a bug in SharedBuffer.
+  <h1>This text should not be shown</h1>
+</body></html>
+------=_NextPart_000_7387_D22A981E.ADD1887E
+Content-Type: text/css
+Content-Transfer-Encoding: quoted-printable
+Content-Location: http://localhost/resources/style.css
+/*
+The point is to reach a size of n * 4096 bytes (with n > 1)
+followed by a blank line to trigger a bug in SharredBuffer.
+Let's go:
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+012345678901234567890123456789012345678901234567890123456789
+*/
+h1 { visibility: hidden; }
+------=_NextPart_000_7387_D22A981E.ADD1887E--
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
+2012-10-15  Jay Civelli  <jcivelli@chromium.org>
+        Calling WebCore::SharedBuffer::append(data, 0) on a shared buffer when
+        its current position is at a segment boundary (4096) ends up adding an
+        unitialized segment (with uninitialized memory) to the SharedBuffer.
+        https://bugs.webkit.org/show_bug.cgi?id=99000
+        Reviewed by Adam Barth.
+        * platform/SharedBuffer.cpp:
+        (WebCore::SharedBuffer::append):
 2012-10-15  Luke Macpherson   <macpherson@chromium.org>
        Make CSS variable names case-insensitive.

--- a/Source/WebCore/platform/SharedBuffer.cpp
+++ b/Source/WebCore/platform/SharedBuffer.cpp
@@ -148,6 +148,8 @@ void SharedBuffer::append(SharedBuffer* data)
 void SharedBuffer::append(const char* data, unsigned length)
 {
    ASSERT(!m_purgeableBuffer);
+    if (!length)
+        return;
    maybeTransferPlatformData();