Hi,
I just found an out-of-bounds bug (not a security issue) in
AbstractTreeItem.js.
If one creates a tree with 3 TreeFolders item1 item2 and item3 added in
that order, and then calls tree.addBefore(item1, item3) to move the
first item to the 2nd index, the code fails with an exception. The bug
is in addAt() on line 767 of AbstractTreeItem.js in trunk. This code:
var oldParent = treeItem.getParent();
if (oldParent) {
oldParent.remove(treeItem);
}
needs to be:
var oldParent = treeItem.getParent();
if (oldParent) {
if (oldParent == this && index > this.indexOf(treeItem)) {
--index; // otherwise we get an exception
}
oldParent.remove(treeItem);
}
The reason is that the index addAt() is expecting will become index-1
and so the subsequent call:
var nextItem = this.__children[index];
will assign the wrong value to nextItem. In the case I described, it
will simply set nextItem = null and cause an exception on the
addBefore() that follows. More insidious would be the case where index
is not array.length-1, and nextItem would in fact be the wrong item with
no error returned.
Thanks,
Greg
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
qooxdoo-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
