Fix a crash in loading an empty resource in a bundle

A crash occurs when loading an empty resource in a bundle because PipeDataSource::Read accesses data_[offset] even when data_.size() is zero. We should memcpy only when |len| > 0 to avoid out-of-range access. Bug: 1082020 Change-Id: I4c04ef38029c30ef57908ddaf8c4868e66531c5b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2463095Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Hayato Ito <hayato@chromium.org> Cr-Commit-Position: refs/heads/master@{#816456}

Fix a crash in loading an empty resource in a bundle
A crash occurs when loading an empty resource in a bundle because PipeDataSource::Read accesses data_[offset] even when data_.size() is zero. We should memcpy only when |len| > 0 to avoid out-of-range access. Bug: 1082020 Change-Id: I4c04ef38029c30ef57908ddaf8c4868e66531c5b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2463095Reviewed-by: Kunihiko Sakamoto <ksakamoto@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Hayato Ito <hayato@chromium.org> Cr-Commit-Position: refs/heads/master@{#816456}
d79413b3 · Hayato Ito · Commit Bot · 02caa3cd · d79413b3 · d79413b3
Commit d79413b3 authored Oct 13, 2020 by Hayato Ito Committed by Commit Bot Oct 13, 2020
5 changed files
--- a/third_party/blink/renderer/platform/loader/fetch/url_loader/web_bundle_subresource_loader.cc
+++ b/third_party/blink/renderer/platform/loader/fetch/url_loader/web_bundle_subresource_loader.cc
@@ -106,7 +106,10 @@ class PipeDataSource : public mojo::DataPipeProducer::DataSource {
    }
    size_t offset = base::checked_cast<size_t>(uint64_offset);
    size_t len = std::min(data_.size() - offset, buffer.size());
+    if (len > 0) {
+      DCHECK_LT(offset, data_.size());
      memcpy(buffer.data(), &data_[offset], len);
+    }
    result.bytes_read = len;
    return result;
  }

--- a/third_party/blink/web_tests/http/tests/loading/wbn/resources/empty-resource/empty.js
+++ b/third_party/blink/web_tests/http/tests/loading/wbn/resources/empty-resource/empty.js
--- a/third_party/blink/web_tests/http/tests/loading/wbn/resources/generate-test-wbns.sh
+++ b/third_party/blink/web_tests/http/tests/loading/wbn/resources/generate-test-wbns.sh
@@ -32,3 +32,10 @@ gen-bundle \
  -primaryURL https://localhost:8443/loading/wbn/resources/wbn/server/wbn-subresource-third-party-origin-trial/script.js \
  -dir wbn-subresource-third-party-origin-trial/ \
  -o wbn/wbn-subresource-third-party-origin-trial.wbn
+gen-bundle \
+  -version b1 \
+  -baseURL http://127.0.0.1:8000/loading/wbn/resources/wbn/ \
+  -primaryURL http://127.0.0.1:8000/loading/wbn/resources/wbn/empty.js \
+  -dir empty-resource/ \
+  -o wbn/empty-resource.wbn
--- a/third_party/blink/web_tests/http/tests/loading/wbn/resources/wbn/empty-resource.wbn
+++ b/third_party/blink/web_tests/http/tests/loading/wbn/resources/wbn/empty-resource.wbn
--- a/third_party/blink/web_tests/http/tests/loading/wbn/subresource-loading/subresource-loading-empty-resource-crash.html
+++ b/third_party/blink/web_tests/http/tests/loading/wbn/subresource-loading/subresource-loading-empty-resource-crash.html
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+  <link
+    rel="webbundle"
+    href="../resources/wbn/empty-resource.wbn"
+    resources="http://127.0.0.1:8000/loading/wbn/resources/wbn/empty.js"
+  />
+  <script>
+    promise_test(async () => {
+      const response = await fetch(
+        "http://127.0.0.1:8000/loading/wbn/resources/wbn/empty.js"
+      );
+      assert_true(response.ok);
+    }, "Loading an empty resource in a bundle should not cause a crash");
+  </script>
+</body>