From ccbe99a8e0ab02e923af802bfef76c56fcb803d2 Mon Sep 17 00:00:00 2001 From: binji Date: Fri, 24 Apr 2015 11:58:08 -0700 Subject: [PATCH] [NaCl SDK] nacl_io: Fix use-after-free bug in html5fs nacl_io::Path::Part returns a temporary string. The code that hashes the path to create a phony ino calls this, and stashes a pointer to the memory. The real issue with nacl_io_demo is that the quota was too low. I've upped it to 5 megs now. BUG=478230 R=sbc@chromium.org Review URL: https://codereview.chromium.org/1062463004 Cr-Commit-Position: refs/heads/master@{#326850} --- native_client_sdk/src/examples/demo/nacl_io_demo/example.js | 2 +- native_client_sdk/src/libraries/nacl_io/html5fs/html5_fs.cc | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/native_client_sdk/src/examples/demo/nacl_io_demo/example.js b/native_client_sdk/src/examples/demo/nacl_io_demo/example.js index 128bcd03701355..7cb83c15b65a15 100644 --- a/native_client_sdk/src/examples/demo/nacl_io_demo/example.js +++ b/native_client_sdk/src/examples/demo/nacl_io_demo/example.js @@ -12,7 +12,7 @@ function $(id) { // Called by the common.js module. function domContentLoaded(name, tc, config, width, height) { - navigator.webkitPersistentStorage.requestQuota(1024 * 1024, + navigator.webkitPersistentStorage.requestQuota(5 * 1024 * 1024, function(bytes) { common.updateStatus( 'Allocated ' + bytes + ' bytes of persistant storage.'); diff --git a/native_client_sdk/src/libraries/nacl_io/html5fs/html5_fs.cc b/native_client_sdk/src/libraries/nacl_io/html5fs/html5_fs.cc index bb6b9cc87ed4f4..b71de276270e26 100644 --- a/native_client_sdk/src/libraries/nacl_io/html5fs/html5_fs.cc +++ b/native_client_sdk/src/libraries/nacl_io/html5fs/html5_fs.cc @@ -45,9 +45,8 @@ ino_t Html5Fs::HashPath(const Path& path) { // Apply a running DJB2a to each part of the path for (size_t segment = 0; segment < path.Size(); segment++) { - const char *ptr = path.Part(segment).c_str(); - size_t len = path.Part(segment).length(); - hash = HashPathSegment(hash, ptr, len); + const std::string& part = path.Part(segment); + hash = HashPathSegment(hash, part.c_str(), part.length()); } return hash; }