ASAN: Fix global-buffer-overflow @wtf::StringImpl::createFromLiteral()

strlen() is invoked on strings located in UserAgentStyleSheetsData.cpp, however strings in those tables doesn't not contain valid C string with '\0' character in the end. GDB callstack excerpt: (complete is available at WebPlatformForEmbedded#592) (gdb) bt #0 0x00007fb2aae415d0 in __sanitizer::Die() () at ../../../../libsanitizer/sanitizer_common/sanitizer_termination.cc:49 WebPlatformForEmbedded#1 0x00007fb2aae23ce5 in __asan::ScopedInErrorReport::~ScopedInErrorReport() (this=<optimized out>, __in_chrg=<optimized out>) at ../../../../libsanitizer/asan/asan_report.cc:181 WebPlatformForEmbedded#2 0x00007fb2aae23ce5 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) (pc=<optimized out>, bp=bp@entry=140729000272496, sp=sp@entry=140729000270360, addr=addr@entry=140405332238509, is_write=is_write@entry=false, access_size=access_size@entry=27118, exp=0, fatal=false) at ../../../../libsanitizer/asan/asan_report.cc:397 WebPlatformForEmbedded#3 0x00007fb2aadd62ac in __interceptor_strlen(char const*) (s=<optimized out>) at ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:301 WebPlatformForEmbedded#4 0x00007fb2a95309ba in WTF::StringImpl::createFromLiteral(char const*) (characters=0x7fb2a9f376c0 <WebCore::mediaControlsBaseUserAgentStyleSheet> "audio { width: 200px; height: 25px; } body:-webkit-full-page-media { background-color: rgb(38, 38, 38); } video:-webkit-full-page-media { margin: auto; position: absolute; top: 0; right: 0; bottom: 0;"...) at ../Source/WTF/wtf/text/StringImpl.cpp:158 WebPlatformForEmbedded#5 0x00007fb2a957ff4c in WTF::String::String(WTF::ASCIILiteral) (this=0x7ffe061225d0, characters=...) at ../Source/WTF/wtf/text/WTFString.h:734 WebPlatformForEmbedded#6 0x00007fb2a4b25f21 in WebCore::RenderThemeWPE::mediaControlsStyleSheet() (this=<optimized out>) at ../Source/WTF/wtf/text/WTFString.h:733 (gdb) fr 4 158 return createFromLiteral(characters, strlen(characters)); (gdb) l 153 return adoptRef(*new StringImpl(reinterpret_cast<const LChar*>(characters), length, ConstructWithoutCopying)); 154 } 155 156 Ref<StringImpl> StringImpl::createFromLiteral(const char* characters) 157 { 158 return createFromLiteral(characters, strlen(characters)); 159 } Signed-off-by: Damian Wrobel <dwrobel@ertelnet.rybnik.pl>
dwrobel · Apr 23, 2019 · ef26266 · ef26266
1 parent c4a2a3c
commit ef26266
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/Source/WebCore/css/make-css-file-arrays.pl b/Source/WebCore/css/make-css-file-arrays.pl
@@ -66,11 +66,11 @@
     # Write out a C array of the characters.
     my $length = length $text;
     if ($in =~ /(\w+)\.css$/) {
-        print HEADER "extern const char ${name}UserAgentStyleSheet[${length}];\n";
-        print OUT "extern const char ${name}UserAgentStyleSheet[${length}] = {\n";
+        print HEADER "extern const char ${name}UserAgentStyleSheet[${length}+1];\n";
+        print OUT "extern const char ${name}UserAgentStyleSheet[${length}+1] = {\n";
     } else {
-        print HEADER "extern const char ${name}JavaScript[${length}];\n";
-        print OUT "extern const char ${name}JavaScript[${length}] = {\n";
+        print HEADER "extern const char ${name}JavaScript[${length}+1];\n";
+        print OUT "extern const char ${name}JavaScript[${length}+1] = {\n";
     }
     my $i = 0;
     while ($i < $length) {
@@ -82,9 +82,10 @@
             ++$i;
             ++$j;
         }
-        print OUT "," unless $i == $length;
-        print OUT "\n";
+        print OUT ",";
+        print OUT "\n" unless $i == $length;
     }
+    print OUT " 0\n";
     print OUT "};\n";
 
 }