[WinCairo] REGRESSION(r245186) Crash in NetworkCache::IOChannel::read…

… in http/tests/IndexedDB some tests https://bugs.webkit.org/show_bug.cgi?id=197941 Reviewed by Don Olmstead. http/tests/IndexedDB some tests were crashing in NetworkCache::IOChannel::read in order to allocate a buffer with std::numeric_limits<size_t>::max() as the size. IOChannel::read should check the file size, and calculate the read size. * NetworkProcess/cache/NetworkCacheIOChannelCurl.cpp: (WebKit::NetworkCache::IOChannel::read): Limit the read buffer size by calling FileSystem::getFileSize. Canonical link: https://commits.webkit.org/212357@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245847 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · May 29, 2019 · a5e07ad · a5e07ad
1 parent ef0743c
commit a5e07ad
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 2 deletions.
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
@@ -1,3 +1,21 @@
+2019-05-28  Fujii Hironori  <Hironori.Fujii@sony.com>
+
+        [WinCairo] REGRESSION(r245186) Crash in NetworkCache::IOChannel::read in http/tests/IndexedDB some tests
+        https://bugs.webkit.org/show_bug.cgi?id=197941
+
+        Reviewed by Don Olmstead.
+
+        http/tests/IndexedDB some tests were crashing in
+        NetworkCache::IOChannel::read in order to allocate a buffer with
+        std::numeric_limits<size_t>::max() as the size.
+
+        IOChannel::read should check the file size, and calculate the read
+        size.
+
+        * NetworkProcess/cache/NetworkCacheIOChannelCurl.cpp:
+        (WebKit::NetworkCache::IOChannel::read): Limit the read buffer
+        size by calling FileSystem::getFileSize.
+
 2019-05-28  Brent Fulgham  <bfulgham@apple.com>
 
         Fix sandbox violation when using QuickLook on iOS

diff --git a/Source/WebKit/NetworkProcess/cache/NetworkCacheIOChannelCurl.cpp b/Source/WebKit/NetworkProcess/cache/NetworkCacheIOChannelCurl.cpp
@@ -74,9 +74,17 @@ static inline void runTaskInQueue(Function<void()>&& task, WorkQueue* queue)
 void IOChannel::read(size_t offset, size_t size, WorkQueue* queue, Function<void(Data&, int error)>&& completionHandler)
 {
     runTaskInQueue([this, protectedThis = makeRef(*this), offset, size, completionHandler = WTFMove(completionHandler)] {
-        Vector<uint8_t> buffer(size);
+        long long fileSize;
+        if (!FileSystem::getFileSize(m_fileDescriptor, fileSize) || fileSize > std::numeric_limits<size_t>::max()) {
+            Data data;
+            completionHandler(data, -1);
+            return;
+        }
+        size_t readSize = fileSize;
+        readSize = std::min(size, readSize);
+        Vector<uint8_t> buffer(readSize);
         FileSystem::seekFile(m_fileDescriptor, offset, FileSystem::FileSeekOrigin::Beginning);
-        int err = FileSystem::readFromFile(m_fileDescriptor, reinterpret_cast<char*>(buffer.data()), size);
+        int err = FileSystem::readFromFile(m_fileDescriptor, reinterpret_cast<char*>(buffer.data()), readSize);
         err = err < 0 ? err : 0;
         auto data = Data(WTFMove(buffer));
         completionHandler(data, err);