Bug 215976

Summary: [GTK] REGRESSION(r150392) insufficient space allocation results in heap corruption
Product: WebKit Reporter: Jim Mason <jmason>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, bugs-noreply, cdumez, cgarcia, cmarcelo, ews-watchlist
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Jim Mason 2020-08-29 02:17:37 PDT 
The change introduced by the patch for 150392 fails to allocate enough space for the new RunLoopSource struct in the TimerBase ctor, resulting in a segmentation fault due to heap corruption:

    (gdb) bt
    #0  0x00007ffaa94e30d1 in _malloc_unlocked () at /lib/64/libc.so.1
    #1  0x00007ffaa94e2f14 in malloc () at /lib/64/libc.so.1
    #2  0x00007ffaa94caaef in calloc () at /lib/64/libc.so.1
    #3  0x00007ffaa8f90189 in g_malloc0 () at /usr/lib/64/libglib-2.0.so.0
    #4  0x00007ffaa8f864fb in g_source_new () at /usr/lib/64/libglib-2.0.so.0
    #5  0x00007ffa9edcc6f4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&) ()
Comment 1 Jim Mason 2020-08-29 02:18:44 PDT 
Created attachment 407537 [details]
Patch
Comment 2 Carlos Garcia Campos 2020-08-30 02:24:22 PDT 
Comment on attachment 407537 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407537&action=review

Thanks!

> Source/WTF/wtf/glib/RunLoopGLib.cpp:162
> -    , m_source(adoptGRef(g_source_new(&RunLoop::s_runLoopSourceFunctions, sizeof(GSource))))
> +    , m_source(adoptGRef(g_source_new(&RunLoop::s_runLoopSourceFunctions, sizeof(RunLoopSource))))

Oops, I forgot this one.
Comment 3 EWS 2020-08-30 02:40:47 PDT 
Committed r266331: <https://trac.webkit.org/changeset/266331>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 407537 [details].