17030 2008-01-27 03:46:18 -0800 Small buffer overflow within initialization 2008-02-27 09:14:34 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) PC Linux RESOLVED FIXED P2 Normal --- 1 stbinner ap ap ddkilzer oldest_to_newest 68355 0 stbinner 2008-01-27 03:46:18 -0800 The patch should say enough :-).... --- JavaScriptCore/kjs/date_object.cpp 2008/01/16 12:24:15 1.1 +++ JavaScriptCore/kjs/date_object.cpp 2008/01/16 12:24:21 @@ -908,7 +908,7 @@ // fall back to local timezone if (!haveTZ) { GregorianDateTime t; - memset(&t, 0, sizeof(tm)); + memset(&t, 0, sizeof(t)); t.monthDay = day; t.month = month; t.year = year - 1900; 68359 1 ap 2008-01-27 07:31:10 -0800 Wow, thanks for catching this! AFAICT, on the Mac, these structs are the same - is struct tm bigger on Linux? Also, GregorianDateTime is initialized to zero anyway, so we should probably just take out the calls to memset here and elsewhere. Would you be willing to submit this for review as described in <http://webkit.org/coding/contributing.html>? 68367 2 stbinner 2008-01-27 11:31:21 -0800 On x86_64 it is. 68368 3 18723 stbinner 2008-01-27 11:32:28 -0800 Created attachment 18723 Same as in original post 68372 4 18723 ap 2008-01-27 12:05:14 -0800 Comment on attachment 18723 Same as in original post Instead of correcting memset usage, we should just remove it (not just here, but all the instances that were mistakenly used for GregorianDateTime initialization). Also, the patch needs a change log. 71470 5 19273 ap 2008-02-21 22:33:51 -0800 Created attachment 19273 proposed fix 72146 6 ap 2008-02-27 09:14:34 -0800 Committed revision 30625. 18723 2008-01-27 11:32:28 -0800 2008-02-21 22:33:51 -0800 Same as in original post data_object.diff text/plain 390 stbinner LS0tIEphdmFTY3JpcHRDb3JlL2tqcy9kYXRlX29iamVjdC5jcHAgIDIwMDgvMDEvMTYgMTI6MjQ6 MTUgICAgIDEuMQorKysgSmF2YVNjcmlwdENvcmUva2pzL2RhdGVfb2JqZWN0LmNwcCAgMjAwOC8w MS8xNiAxMjoyNDoyMQpAQCAtOTA4LDcgKzkwOCw3IEBACiAgICAgLy8gZmFsbCBiYWNrIHRvIGxv Y2FsIHRpbWV6b25lCiAgICAgaWYgKCFoYXZlVFopIHsKICAgICAgICAgR3JlZ29yaWFuRGF0ZVRp bWUgdDsKLSAgICAgICAgbWVtc2V0KCZ0LCAwLCBzaXplb2YodG0pKTsKKyAgICAgICAgbWVtc2V0 KCZ0LCAwLCBzaXplb2YodCkpOwogICAgICAgICB0Lm1vbnRoRGF5ID0gZGF5OwogICAgICAgICB0 Lm1vbnRoID0gbW9udGg7CiAgICAgICAgIHQueWVhciA9IHllYXIgLSAxOTAwOwoK 19273 2008-02-21 22:33:51 -0800 2008-02-21 23:51:00 -0800 proposed fix memset.txt text/plain 1456 ap SW5kZXg6IEphdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0 Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDMwNDczKQorKysgSmF2YVNjcmlwdENvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTUgQEAKKzIwMDgtMDItMjEgIEFsZXhleSBQ cm9za3VyeWFrb3YgIDxhcEB3ZWJraXQub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9E WSAoT09QUyEpLgorCisgICAgICAgIGh0dHA6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dp P2lkPTE3MDMwCisgICAgICAgIFNtYWxsIGJ1ZmZlciBvdmVyZmxvdyB3aXRoaW4gaW5pdGlhbGl6 YXRpb24KKworICAgICAgICAqIGtqcy9kYXRlX29iamVjdC5jcHA6CisgICAgICAgIChLSlM6OkRh dGVPYmplY3RGdW5jSW1wOjpjYWxsQXNGdW5jdGlvbik6CisgICAgICAgIChLSlM6OnBhcnNlRGF0 ZSk6CisgICAgICAgIFJlbW92ZSB1bm5lY2Vzc2FyeSBhbmQgaW5jb3JyZWN0IG1lbXNldCgpIGNh bGxzIC0gR3JlZ29yaWFuRGF0ZVRpbWUgY2FuIGluaXRpYWxpemUgaXRzZWxmLgorCiAyMDA4LTAy LTIwICBNaWNoYWVsIEtuYXVwICA8bWljaGFlbC5rbmF1cEBtYWMuY29tPgogCiAgICAgICAgIFJl dmlld2VkIGJ5IERhcmluLgpJbmRleDogSmF2YVNjcmlwdENvcmUva2pzL2RhdGVfb2JqZWN0LmNw cAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0Q29yZS9ranMvZGF0ZV9vYmplY3QuY3BwCShyZXZp c2lvbiAzMDQ1NikKKysrIEphdmFTY3JpcHRDb3JlL2tqcy9kYXRlX29iamVjdC5jcHAJKHdvcmtp bmcgY29weSkKQEAgLTU0OSw3ICs1NDksNiBAQCBKU1ZhbHVlICpEYXRlT2JqZWN0RnVuY0ltcDo6 Y2FsbEFzRnVuY3RpCiAgICAgfQogCiAgICAgR3JlZ29yaWFuRGF0ZVRpbWUgdDsKLSAgICBtZW1z ZXQoJnQsIDAsIHNpemVvZih0KSk7CiAgICAgaW50IHllYXIgPSBhcmdzWzBdLT50b0ludDMyKGV4 ZWMpOwogICAgIHQueWVhciA9ICh5ZWFyID49IDAgJiYgeWVhciA8PSA5OSkgPyB5ZWFyIDogeWVh ciAtIDE5MDA7CiAgICAgdC5tb250aCA9IGFyZ3NbMV0tPnRvSW50MzIoZXhlYyk7CkBAIC05MTYs NyArOTE1LDYgQEAgc3RhdGljIGRvdWJsZSBwYXJzZURhdGUoY29uc3QgVVN0cmluZyAmZAogICAg IC8vIGZhbGwgYmFjayB0byBsb2NhbCB0aW1lem9uZQogICAgIGlmICghaGF2ZVRaKSB7CiAgICAg ICAgIEdyZWdvcmlhbkRhdGVUaW1lIHQ7Ci0gICAgICAgIG1lbXNldCgmdCwgMCwgc2l6ZW9mKHRt KSk7CiAgICAgICAgIHQubW9udGhEYXkgPSBkYXk7CiAgICAgICAgIHQubW9udGggPSBtb250aDsK ICAgICAgICAgdC55ZWFyID0geWVhciAtIDE5MDA7Cg==