[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

japhet at chromium.org japhet at chromium.org
Sun Feb 20 23:27:49 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit 243ab97aa961d56f3c19bc0f432a556b77cb3a04
Author: japhet at chromium.org <japhet at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Jan 20 18:20:12 2011 +0000

    2011-01-20  Nate Chapin  <japhet at chromium.org>
    
            Reviewed by Darin Fisher.
    
            [V8] Call malloc and memcpy directly instead of
            of strdup in convertV8ObjectToNPVariant() when
            converting strings. If there is a null character
            in the string, our use of strdup causes us to allocate
            too little memory, leading to out of bounds reads.
    
            https://bugs.webkit.org/show_bug.cgi?id=52631
    
            * bindings/v8/V8NPUtils.cpp:
            (WebCore::convertV8ObjectToNPVariant):
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76264 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 6cf0d53..674f589 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2011-01-20  Nate Chapin  <japhet at chromium.org>
+
+        Reviewed by Darin Fisher.
+
+        [V8] Call malloc and memcpy directly instead of
+        of strdup in convertV8ObjectToNPVariant() when
+        converting strings. If there is a null character
+        in the string, our use of strdup causes us to allocate
+        too little memory, leading to out of bounds reads.
+
+        https://bugs.webkit.org/show_bug.cgi?id=52631
+
+        * bindings/v8/V8NPUtils.cpp:
+        (WebCore::convertV8ObjectToNPVariant):
+
 2011-01-20  Andreas Kling  <kling at webkit.org>
 
         Reviewed by Ariya Hidayat.
diff --git a/Source/WebCore/bindings/v8/V8NPUtils.cpp b/Source/WebCore/bindings/v8/V8NPUtils.cpp
index 65c30a0..3413447 100644
--- a/Source/WebCore/bindings/v8/V8NPUtils.cpp
+++ b/Source/WebCore/bindings/v8/V8NPUtils.cpp
@@ -63,8 +63,9 @@ void convertV8ObjectToNPVariant(v8::Local<v8::Value> object, NPObject* owner, NP
         VOID_TO_NPVARIANT(*result);
     else if (object->IsString()) {
         v8::String::Utf8Value utf8(object);
-        char* utf8_chars = strdup(*utf8);
-        STRINGN_TO_NPVARIANT(utf8_chars, utf8.length(), *result);
+        char* utf8Chars = reinterpret_cast<char*>(malloc(utf8.length()));
+        memcpy(utf8Chars, *utf8, utf8.length());
+        STRINGN_TO_NPVARIANT(utf8Chars, utf8.length(), *result);
     } else if (object->IsObject()) {
         DOMWindow* window = V8Proxy::retrieveWindow(V8Proxy::currentContext());
         NPObject* npobject = npCreateV8ScriptObject(0, v8::Handle<v8::Object>::Cast(object), window);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list