mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-09-20 17:58:18 +03:00
LibHTTP: Fix logic error leading to buffer over-read
When we receive HTTP payloads, we have to ensure that the number of bytes read is *at most* the value specified in the Content-Length header. However, we did not use the correct value when calculating the truncated size of the last payload. `m_buffered_size` does not store the total number of bytes received, but rather the number of bytes that haven't been read from us. This means that if some data has already been read from us, `m_buffered_size` is smaller than `m_received_size`. Because of this, we ended up resizing the `payload` ByteBuffer to a larger size than its contents. This garbage data was then read by consumers, producing this warning when executing scripts: > Extension byte 0xdc in 1 position after first byte 0xdc doesn't make > sense.
This commit is contained in:
parent
47b8d80864
commit
e9f0ebd4bd
Notes:
sideshowbarker
2024-07-18 01:45:18 +09:00
Author: https://github.com/BertalanD Commit: https://github.com/SerenityOS/serenity/commit/e9f0ebd4bd9 Pull-request: https://github.com/SerenityOS/serenity/pull/10677 Reviewed-by: https://github.com/alimpfard
@ -325,7 +325,7 @@ void Job::on_socket_connected()
|
||||
if (m_content_length.has_value()) {
|
||||
auto length = m_content_length.value();
|
||||
if (m_received_size + payload.size() >= length) {
|
||||
payload.resize(length - m_buffered_size);
|
||||
payload.resize(length - m_received_size);
|
||||
read_everything = true;
|
||||
}
|
||||
}
|
||||
@ -338,6 +338,7 @@ void Job::on_socket_connected()
|
||||
deferred_invoke([this] { did_progress(m_content_length, m_received_size); });
|
||||
|
||||
if (read_everything) {
|
||||
VERIFY(m_received_size <= m_content_length.value());
|
||||
finish_up();
|
||||
return IterationDecision::Break;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user