140427 2015-01-13 20:49:54 -0800 Correct calculation of 16-bit text iterator decode offsets 2015-01-14 15:47:36 -0800 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All RESOLVED INVALID P2 Normal --- 1 bfulgham bfulgham bfulgham oldest_to_newest 1061058 0 bfulgham 2015-01-13 20:49:54 -0800 The TextCodecUTF8 and TextCodecLatin1 decoding routines have a calculation error in the update to the 'destination16' memory location. This was found by static analysis of the code. The 'destination16' variable (in both files) is a pointer to a 16-bit character value, while the 'source' value is an 8-bit value. We updated the 'source' pointer by incrementing it by the sizeof(MachineWord), which is the number of UTF8 characters we have consumed during the decode. However, the 'destination16' variable is a UChar* (a 16-bit value). If we increment it by the number of bytes, that has the effect of moving us twice the number of 16-bit characters than we should be. We should be incrementing by sizeof(MachineWord) / sizeof(UChar). 1061060 1 244576 bfulgham 2015-01-13 20:51:56 -0800 Created attachment 244576 Patch 1061064 2 bfulgham 2015-01-13 20:56:55 -0800 I misunderstood what copyASCIIMachineWord was doing here. The sizeof() is the correct thing to be doing, and the Static Analyzer warning is spurious. 1061366 3 244576 darin 2015-01-14 15:46:51 -0800 Comment on attachment 244576 Patch These three fixes look good. Why no regression tests for any of them? Didn’t these bugs cause any symptoms? We normally require regression tests for all bug fixes. 1061368 4 244576 darin 2015-01-14 15:47:36 -0800 Comment on attachment 244576 Patch Oops, as you said, the warning was wrong for the destination16 lines! 244576 2015-01-13 20:51:56 -0800 2015-01-14 15:47:36 -0800 Patch bug-140427-20150113205901.patch text/plain 2693 bfulgham SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE3ODQwNSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBACisyMDE1LTAxLTEzICBCcmVudCBG dWxnaGFtICA8YmZ1bGdoYW1AYXBwbGUuY29tPgorCisgICAgICAgIENvcnJlY3QgY2FsY3VsYXRp b24gb2YgMTYtYml0IHRleHQgaXRlcmF0b3IgZGVjb2RlIG9mZnNldHMKKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE0MDQyNworCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogcGxhdGZvcm0vdGV4dC9CaWRpUnVu TGlzdC5oOgorICAgICAgICAoV2ViQ29yZTo6QmlkaVJ1bkxpc3Q8UnVuPjo6cmV2ZXJzZVJ1bnMp OiBBdm9pZCBudWxsIGRlcmVmZXJlbmNlLgorICAgICAgICAqIHBsYXRmb3JtL3RleHQvVGV4dENv ZGVjTGF0aW4xLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OlRleHRDb2RlY0xhdGluMTo6ZGVjb2Rl KTogQ29ycmVjdCBtYXRoIGZvciAxNi1iaXQgY2hhcmFjdGVyLgorICAgICAgICAqIHBsYXRmb3Jt L3RleHQvVGV4dENvZGVjVVRGOC5jcHA6CisgICAgICAgIChXZWJDb3JlOjpUZXh0Q29kZWNVVEY4 OjpkZWNvZGUpOiBEaXR0by4KKwogMjAxNS0wMS0xMyAgQ29tbWl0IFF1ZXVlICA8Y29tbWl0LXF1 ZXVlQHdlYmtpdC5vcmc+CiAKICAgICAgICAgVW5yZXZpZXdlZCwgcm9sbGluZyBvdXQgcjE3ODQw MC4KSW5kZXg6IFNvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL3RleHQvQmlkaVJ1bkxpc3QuaAo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS90ZXh0L0JpZGlSdW5MaXN0LmgJKHJl dmlzaW9uIDE3ODM2NCkKKysrIFNvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL3RleHQvQmlkaVJ1bkxp c3QuaAkod29ya2luZyBjb3B5KQpAQCAtMjQxLDcgKzI0MSw4IEBAIHZvaWQgQmlkaVJ1bkxpc3Q8 UnVuPjo6cmV2ZXJzZVJ1bnModW5zaWcKICAgICBlbHNlCiAgICAgICAgIG1fZmlyc3RSdW4gPSBl bmRSdW47CiAKLSAgICBzdGFydFJ1bi0+bV9uZXh0ID0gYWZ0ZXJFbmQ7CisgICAgaWYgKHN0YXJ0 UnVuKQorICAgICAgICBzdGFydFJ1bi0+bV9uZXh0ID0gYWZ0ZXJFbmQ7CiAgICAgaWYgKCFhZnRl ckVuZCkKICAgICAgICAgbV9sYXN0UnVuID0gc3RhcnRSdW47CiB9CkluZGV4OiBTb3VyY2UvV2Vi Q29yZS9wbGF0Zm9ybS90ZXh0L1RleHRDb2RlY0xhdGluMS5jcHAKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL1dlYkNvcmUvcGxhdGZvcm0vdGV4dC9UZXh0Q29kZWNMYXRpbjEuY3BwCShyZXZpc2lvbiAx NzgzNjQpCisrKyBTb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS90ZXh0L1RleHRDb2RlY0xhdGluMS5j cHAJKHdvcmtpbmcgY29weSkKQEAgLTE5Niw3ICsxOTYsNyBAQCB1cENvbnZlcnRUbzE2Qml0Ogog ICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgY29weUFTQ0lJTWFjaGlu ZVdvcmQoZGVzdGluYXRpb24xNiwgc291cmNlKTsKICAgICAgICAgICAgICAgICAgICAgc291cmNl ICs9IHNpemVvZihNYWNoaW5lV29yZCk7Ci0gICAgICAgICAgICAgICAgICAgIGRlc3RpbmF0aW9u MTYgKz0gc2l6ZW9mKE1hY2hpbmVXb3JkKTsKKyAgICAgICAgICAgICAgICAgICAgZGVzdGluYXRp b24xNiArPSBzaXplb2YoTWFjaGluZVdvcmQpIC8gc2l6ZW9mKFVDaGFyKTsKICAgICAgICAgICAg ICAgICB9CiAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgaWYgKHNvdXJjZSA9PSBl bmQpCkluZGV4OiBTb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS90ZXh0L1RleHRDb2RlY1VURjguY3Bw Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL3RleHQvVGV4dENvZGVjVVRG OC5jcHAJKHJldmlzaW9uIDE3ODM2NCkKKysrIFNvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL3RleHQv VGV4dENvZGVjVVRGOC5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTM3Niw3ICszNzYsNyBAQCB1cENv bnZlcnRUbzE2Qml0OgogICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAg ICAgICAgICAgICAgICAgICAgY29weUFTQ0lJTWFjaGluZVdvcmQoZGVzdGluYXRpb24xNiwgc291 cmNlKTsKICAgICAgICAgICAgICAgICAgICAgICAgIHNvdXJjZSArPSBzaXplb2YoTWFjaGluZVdv cmQpOwotICAgICAgICAgICAgICAgICAgICAgICAgZGVzdGluYXRpb24xNiArPSBzaXplb2YoTWFj aGluZVdvcmQpOworICAgICAgICAgICAgICAgICAgICAgICAgZGVzdGluYXRpb24xNiArPSBzaXpl b2YoTWFjaGluZVdvcmQpIC8gc2l6ZW9mKFVDaGFyKTsKICAgICAgICAgICAgICAgICAgICAgfQog ICAgICAgICAgICAgICAgICAgICBpZiAoc291cmNlID09IGVuZCkKICAgICAgICAgICAgICAgICAg ICAgICAgIGJyZWFrOwo=