Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-61969

Crash due to zero-length message in WebChannelIPCTransportHost::onWebChannelMessage

    XMLWordPrintable

Details

    Description

      We are using a JS fuzzing library to generate random objects, which we pass as stringified JSON to a slot on a QObject that is exported to JS via a WebChannel, e.g. 100 slot calls back-to-back.
      (https://github.com/NodeGuy/JavaScript-fuzz)

      Sometimes we see our application crash in WebChannelIPCTransportHost::onWebChannelMessage - when it receives an empty message. The QJsonDocument there is then constructed over a null pointer leaving the field d->header NULL. The crash then happens in doc.object().

      We can avoid the crash by checking for an empty message in onWebChannelMessage and then doing nothing, but that is not a real fix because we then see that not all of our slot calls get their JS callback function called.

      Attachments

        1. fuzz.js
          5 kB
        2. index.html
          0.8 kB
        3. underscore.js
          16 kB
        4. webchannel-ipc-crash.png
          webchannel-ipc-crash.png
          23 kB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            juri.valdmann Jüri Valdmann (Inactive)
            stephan.reiter Stephan Reiter
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: