[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
ukai at chromium.org
ukai at chromium.org
Thu Apr 8 00:26:03 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit efa4fe2a1837728774c6961f89449ec0d4dcb710
Author: ukai at chromium.org <ukai at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Dec 8 04:03:42 2009 +0000
2009-12-07 Fumitoshi Ukai <ukai at chromium.org>
Reviewed by Darin Adler.
Fix wrong length parsing in WebSocket.
https://bugs.webkit.org/show_bug.cgi?id=32203
These two tests assumed wrong length encoding in frame: it parsed
length from bytes with 8th bit on. But spec says length is encoded
as a series of 7-bit bytes stored in octests with the 8th bit on
*but the last byte*.
These tests encodes a frame that has 129 length, so it must be
\x81\0x01 instead of \x81\0x81.
* websocket/tests/frame-length-longer-than-buffer_wsh.py:
* websocket/tests/frame-length-skip_wsh.py:
2009-12-07 Fumitoshi Ukai <ukai at chromium.org>
Reviewed by Darin Adler.
Fix wrong length parsing in WebSocket.
https://bugs.webkit.org/show_bug.cgi?id=32203
* websockets/WebSocketChannel.cpp:
(WebCore::WebSocketChannel::didReceiveData):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51829 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index bcc9d34..9963f2a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,20 @@
+2009-12-07 Fumitoshi Ukai <ukai at chromium.org>
+
+ Reviewed by Darin Adler.
+
+ Fix wrong length parsing in WebSocket.
+ https://bugs.webkit.org/show_bug.cgi?id=32203
+
+ These two tests assumed wrong length encoding in frame: it parsed
+ length from bytes with 8th bit on. But spec says length is encoded
+ as a series of 7-bit bytes stored in octests with the 8th bit on
+ *but the last byte*.
+ These tests encodes a frame that has 129 length, so it must be
+ \x81\0x01 instead of \x81\0x81.
+
+ * websocket/tests/frame-length-longer-than-buffer_wsh.py:
+ * websocket/tests/frame-length-skip_wsh.py:
+
2009-12-07 Nikolas Zimmermann <nzimmermann at rim.com>
Rubber-stamped by Maciej Stachowiak.
diff --git a/LayoutTests/websocket/tests/frame-length-longer-than-buffer_wsh.py b/LayoutTests/websocket/tests/frame-length-longer-than-buffer_wsh.py
index 8ad868b..0f91c96 100644
--- a/LayoutTests/websocket/tests/frame-length-longer-than-buffer_wsh.py
+++ b/LayoutTests/websocket/tests/frame-length-longer-than-buffer_wsh.py
@@ -3,7 +3,7 @@ def web_socket_do_extra_handshake(request):
def web_socket_transfer_data(request):
msg = "\0hello\xff"
- msg += "\x80\x81\x81"
+ msg += "\x80\x81\x01" # skip 1*128+1 bytes.
msg += "\x01\xff"
msg += "\0should be skipped\xff"
request.connection.write(msg)
diff --git a/LayoutTests/websocket/tests/frame-length-skip_wsh.py b/LayoutTests/websocket/tests/frame-length-skip_wsh.py
index 5571691..d14f550 100644
--- a/LayoutTests/websocket/tests/frame-length-skip_wsh.py
+++ b/LayoutTests/websocket/tests/frame-length-skip_wsh.py
@@ -3,7 +3,7 @@ def web_socket_do_extra_handshake(request):
def web_socket_transfer_data(request):
msg = "\0hello\xff"
- msg += "\x80\x81\x81"
+ msg += "\x80\x81\x01" # skip 1*128+1 bytes.
msg += "\x01"
msg += "\0should be skipped" + (" " * 109) + "\xff"
msg += "\0world\xff"
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 607abc5..b235deb 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,13 @@
+2009-12-07 Fumitoshi Ukai <ukai at chromium.org>
+
+ Reviewed by Darin Adler.
+
+ Fix wrong length parsing in WebSocket.
+ https://bugs.webkit.org/show_bug.cgi?id=32203
+
+ * websockets/WebSocketChannel.cpp:
+ (WebCore::WebSocketChannel::didReceiveData):
+
2009-12-07 Nikolas Zimmermann <nzimmermann at rim.com>
Rubber-stamped by Maciej Stachowiak.
diff --git a/WebCore/websockets/WebSocketChannel.cpp b/WebCore/websockets/WebSocketChannel.cpp
index 2dde770..a222b4d 100644
--- a/WebCore/websockets/WebSocketChannel.cpp
+++ b/WebCore/websockets/WebSocketChannel.cpp
@@ -187,14 +187,17 @@ void WebSocketChannel::didReceiveData(SocketStreamHandle* handle, const char* da
unsigned char frameByte = static_cast<unsigned char>(*p++);
if ((frameByte & 0x80) == 0x80) {
int length = 0;
- while (p < end && (*p & 0x80) == 0x80) {
+ while (p < end) {
if (length > std::numeric_limits<int>::max() / 128) {
LOG(Network, "frame length overflow %d", length);
handle->close();
return;
}
- length = length * 128 + (*p & 0x7f);
+ char msgByte = *p;
+ length = length * 128 + (msgByte & 0x7f);
++p;
+ if (!(msgByte & 0x80))
+ break;
}
if (p + length < end) {
p += length;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list