[NaCl SDK] nacl_io: Fix use-after-free bug in html5fs

nacl_io::Path::Part returns a temporary string. The code that hashes the path to create a phony ino calls this, and stashes a pointer to the memory. The real issue with nacl_io_demo is that the quota was too low. I've upped it to 5 megs now. BUG=478230 R=sbc@chromium.org Review URL: https://codereview.chromium.org/1062463004 Cr-Commit-Position: refs/heads/master@{#326850}
hylschwy · Apr 24, 2015 · ccbe99a · ccbe99a
1 parent ad6f502
commit ccbe99a
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 4 deletions.
diff --git a/native_client_sdk/src/examples/demo/nacl_io_demo/example.js b/native_client_sdk/src/examples/demo/nacl_io_demo/example.js
@@ -12,7 +12,7 @@ function $(id) {
 
 // Called by the common.js module.
 function domContentLoaded(name, tc, config, width, height) {
-  navigator.webkitPersistentStorage.requestQuota(1024 * 1024,
+  navigator.webkitPersistentStorage.requestQuota(5 * 1024 * 1024,
       function(bytes) {
         common.updateStatus(
             'Allocated ' + bytes + ' bytes of persistant storage.');

diff --git a/native_client_sdk/src/libraries/nacl_io/html5fs/html5_fs.cc b/native_client_sdk/src/libraries/nacl_io/html5fs/html5_fs.cc
@@ -45,9 +45,8 @@ ino_t Html5Fs::HashPath(const Path& path) {
 
   // Apply a running DJB2a to each part of the path
   for (size_t segment = 0; segment < path.Size(); segment++) {
-    const char *ptr = path.Part(segment).c_str();
-    size_t len = path.Part(segment).length();
-    hash = HashPathSegment(hash, ptr, len);
+    const std::string& part = path.Part(segment);
+    hash = HashPathSegment(hash, part.c_str(), part.length());
   }
   return hash;
 }