[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.17-1283-gcf603cf

ukai at chromium.org ukai at chromium.org
Tue Jan 5 23:44:25 UTC 2010 

The following commit has been merged in the webkit-1.1 branch:
commit e7ed0f7a4fe879b138c848b71bd3ac806ca9f78b
Author: ukai at chromium.org <ukai at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Dec 8 04:03:42 2009 +0000

    2009-12-07  Fumitoshi Ukai  <ukai at chromium.org>
    
            Reviewed by Darin Adler.
    
            Fix wrong length parsing in WebSocket.
            https://bugs.webkit.org/show_bug.cgi?id=32203
    
            These two tests assumed wrong length encoding in frame: it parsed
            length from bytes with 8th bit on.  But spec says length is encoded
            as a series of 7-bit bytes stored in octests with the 8th bit on
            *but the last byte*.
            These tests encodes a frame that has 129 length, so it must be
            \x81\0x01 instead of \x81\0x81.
    
            * websocket/tests/frame-length-longer-than-buffer_wsh.py:
            * websocket/tests/frame-length-skip_wsh.py:
    2009-12-07  Fumitoshi Ukai  <ukai at chromium.org>
    
            Reviewed by Darin Adler.
    
            Fix wrong length parsing in WebSocket.
            https://bugs.webkit.org/show_bug.cgi?id=32203
    
            * websockets/WebSocketChannel.cpp:
            (WebCore::WebSocketChannel::didReceiveData):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51829 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index bcc9d34..9963f2a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,20 @@
+2009-12-07  Fumitoshi Ukai  <ukai at chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Fix wrong length parsing in WebSocket.
+        https://bugs.webkit.org/show_bug.cgi?id=32203
+
+        These two tests assumed wrong length encoding in frame: it parsed
+        length from bytes with 8th bit on.  But spec says length is encoded
+        as a series of 7-bit bytes stored in octests with the 8th bit on
+        *but the last byte*.
+        These tests encodes a frame that has 129 length, so it must be
+        \x81\0x01 instead of \x81\0x81.
+
+        * websocket/tests/frame-length-longer-than-buffer_wsh.py:
+        * websocket/tests/frame-length-skip_wsh.py:
+
 2009-12-07  Nikolas Zimmermann  <nzimmermann at rim.com>
 
         Rubber-stamped by Maciej Stachowiak.
diff --git a/LayoutTests/websocket/tests/frame-length-longer-than-buffer_wsh.py b/LayoutTests/websocket/tests/frame-length-longer-than-buffer_wsh.py
index 8ad868b..0f91c96 100644
--- a/LayoutTests/websocket/tests/frame-length-longer-than-buffer_wsh.py
+++ b/LayoutTests/websocket/tests/frame-length-longer-than-buffer_wsh.py
@@ -3,7 +3,7 @@ def web_socket_do_extra_handshake(request):
 
 def web_socket_transfer_data(request):
   msg = "\0hello\xff"
-  msg += "\x80\x81\x81"
+  msg += "\x80\x81\x01"  # skip 1*128+1 bytes.
   msg += "\x01\xff"
   msg += "\0should be skipped\xff"
   request.connection.write(msg)
diff --git a/LayoutTests/websocket/tests/frame-length-skip_wsh.py b/LayoutTests/websocket/tests/frame-length-skip_wsh.py
index 5571691..d14f550 100644
--- a/LayoutTests/websocket/tests/frame-length-skip_wsh.py
+++ b/LayoutTests/websocket/tests/frame-length-skip_wsh.py
@@ -3,7 +3,7 @@ def web_socket_do_extra_handshake(request):
 
 def web_socket_transfer_data(request):
   msg = "\0hello\xff"
-  msg += "\x80\x81\x81"
+  msg += "\x80\x81\x01"   # skip 1*128+1 bytes.
   msg += "\x01"
   msg += "\0should be skipped" + (" " * 109) + "\xff"
   msg += "\0world\xff"
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 607abc5..b235deb 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,13 @@
+2009-12-07  Fumitoshi Ukai  <ukai at chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Fix wrong length parsing in WebSocket.
+        https://bugs.webkit.org/show_bug.cgi?id=32203
+
+        * websockets/WebSocketChannel.cpp:
+        (WebCore::WebSocketChannel::didReceiveData):
+
 2009-12-07  Nikolas Zimmermann  <nzimmermann at rim.com>
 
         Rubber-stamped by Maciej Stachowiak.
diff --git a/WebCore/websockets/WebSocketChannel.cpp b/WebCore/websockets/WebSocketChannel.cpp
index 2dde770..a222b4d 100644
--- a/WebCore/websockets/WebSocketChannel.cpp
+++ b/WebCore/websockets/WebSocketChannel.cpp
@@ -187,14 +187,17 @@ void WebSocketChannel::didReceiveData(SocketStreamHandle* handle, const char* da
         unsigned char frameByte = static_cast<unsigned char>(*p++);
         if ((frameByte & 0x80) == 0x80) {
             int length = 0;
-            while (p < end && (*p & 0x80) == 0x80) {
+            while (p < end) {
                 if (length > std::numeric_limits<int>::max() / 128) {
                     LOG(Network, "frame length overflow %d", length);
                     handle->close();
                     return;
                 }
-                length = length * 128 + (*p & 0x7f);
+                char msgByte = *p;
+                length = length * 128 + (msgByte & 0x7f);
                 ++p;
+                if (!(msgByte & 0x80))
+                    break;
             }
             if (p + length < end) {
                 p += length;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list