Google Chrome/ChromeOS/Webkit Bug (9019)

Issue: https://code.google.com/p/chromium/issues/detail?id=9019

ZDI Reported. This is not a chrome “bug” ;-). The bug is part of
webkit.

RootCase: Didn’t check the index before inserting the element.

— src/3rdparty/webkit/WebCore/ksvg2/svg/SVGList.h
+++ src/3rdparty/webkit/WebCore/ksvg2/svg/SVGList.h
@@ -95,7 +95,11 @@ namespace WebCore {
 
         Item insertItemBefore(Item newItem, unsigned int index, ExceptionCode&)
         {
–           m_vector.insert(index, newItem);
+            if (index < m_vector.size()) {
+                m_vector.insert(index, newItem);
+            } else {
+                m_vector.append(newItem);
+            }
             return newItem;
         }

Understand that, this is a webkit bug and webkit is not using STL. They use their own implementation/version. If you look into their code, you will see the bug.

https://code.google.com/p/webkit-mirror/source/browse/WebCore/ksvg2/svg/SVGList.h?spec=svna56034ad3eaace7df759e12235d535d07577470a&r=a56034ad3eaace7df759e12235d535d07577470a

    Item insertItemBefore(Item newItem, unsigned int index, ExceptionCode&)
    {
           m_vector.insert(index, newItem);
           return newItem;
     }

https://code.google.com/p/webkit-mirror/source/browse/Source/WTF/wtf/Vector.h

    template<typename T, size_t inlineCapacity> template<typename U>
    inline void Vector<T, inlineCapacity>::insert(size_t position, const U& val)
    {
        ASSERT(position <= size());
        const U* data = &val;
        if (size() == capacity()) {
            data = expandCapacity(size() + 1, data);
            if (!begin())
                return;
        }
        T* spot = begin() + position;
        TypeOperations::moveOverlapping(spot, end(), spot + 1);
        new (NotNull, spot) T(*data);
        ++m_size;
    }

Lesson(s) Learned:
    1.    Check for bounds.
    2.    Avoid own implementation.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s