[webkit-changes] [94824] trunk/Source/WebCore

Thu, 08 Sep 2011 18:13:53 -0700

Title: [94824] trunk/Source/WebCore
Revision
94824
Author
[email protected]
Date
2011-09-08 18:14:50 -0700 (Thu, 08 Sep 2011)

Log Message

Always zero-out m_sortedTextBoxesPosition to avoid uninitialized read in TextIterator
https://bugs.webkit.org/show_bug.cgi?id=67810

Reviewed by Tony Chang.

Reported as a valgrind failure in http://crbug.com/84777.

No possible change in behavior, so no tests. The unitialized read
could never have an impact:

   if (m_sortedTextBoxesPosition + 1 < m_sortedTextBoxes.size()) ...

Since m_sortedTextBoxes.size() will be zero here if
m_sortedTextBoxesPosition is uninitialized, and they're both unsigned,
so no possible value of m_sortedTextBoxesPosition could be < 0.

* editing/TextIterator.cpp:
(WebCore::TextIterator::TextIterator):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (94823 => 94824)


--- trunk/Source/WebCore/ChangeLog	2011-09-09 00:50:09 UTC (rev 94823)
+++ trunk/Source/WebCore/ChangeLog	2011-09-09 01:14:50 UTC (rev 94824)
@@ -1,3 +1,24 @@
+2011-09-08  Adam Klein  <[email protected]>
+
+        Always zero-out m_sortedTextBoxesPosition to avoid uninitialized read in TextIterator
+        https://bugs.webkit.org/show_bug.cgi?id=67810
+
+        Reviewed by Tony Chang.
+
+        Reported as a valgrind failure in http://crbug.com/84777.
+
+        No possible change in behavior, so no tests. The unitialized read
+        could never have an impact:
+
+           if (m_sortedTextBoxesPosition + 1 < m_sortedTextBoxes.size()) ...
+
+        Since m_sortedTextBoxes.size() will be zero here if
+        m_sortedTextBoxesPosition is uninitialized, and they're both unsigned,
+        so no possible value of m_sortedTextBoxesPosition could be < 0.
+
+        * editing/TextIterator.cpp:
+        (WebCore::TextIterator::TextIterator):
+
 2011-09-08  Tony Chang  <[email protected]>
 
         Cleanup of switch statements with default cases

Modified: trunk/Source/WebCore/editing/TextIterator.cpp (94823 => 94824)


--- trunk/Source/WebCore/editing/TextIterator.cpp	2011-09-09 00:50:09 UTC (rev 94823)
+++ trunk/Source/WebCore/editing/TextIterator.cpp	2011-09-09 01:14:50 UTC (rev 94824)
@@ -253,6 +253,7 @@
     , m_remainingTextBox(0)
     , m_firstLetterText(0)
     , m_lastCharacter(0)
+    , m_sortedTextBoxesPosition(0)
     , m_emitsCharactersBetweenAllVisiblePositions(false)
     , m_entersTextControls(false)
     , m_emitsTextWithoutTranscoding(false)
@@ -272,6 +273,7 @@
     , m_textLength(0)
     , m_remainingTextBox(0)
     , m_firstLetterText(0)
+    , m_sortedTextBoxesPosition(0)
     , m_emitsCharactersBetweenAllVisiblePositions(behavior & TextIteratorEmitsCharactersBetweenAllVisiblePositions)
     , m_entersTextControls(behavior & TextIteratorEntersTextControls)
     , m_emitsTextWithoutTranscoding(behavior & TextIteratorEmitsTextsWithoutTranscoding)

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to