22623 2008-12-03 05:13:02 -0800 Uninitialized memory access in cache parsing code 2008-12-03 07:05:32 -0800 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED P2 Normal --- 1 deanm webkit-unassigned ddkilzer koivisto oldest_to_newest 101181 0 deanm 2008-12-03 05:13:02 -0800 http://trac.webkit.org/changeset/38145 https://bugs.webkit.org/show_bug.cgi?id=21596 This patch added two additional fields: 129 mutable bool m_haveParsedCacheControlHeader:1; 130 mutable bool m_haveParsedPragmaHeader:1; These are not initialized anywhere. They should likely both be set to false in the constructor above. This is causing undefined behavior, it can lead to the code thinking we have already parsed the cache control header (and returning the already parsed value), when we actually have no parsed anything. 101182 1 25707 deanm 2008-12-03 05:17:59 -0800 Created attachment 25707 Patch to initialize the variables in the contructors. 101191 2 25707 ddkilzer 2008-12-03 06:32:50 -0800 Comment on attachment 25707 Patch to initialize the variables in the contructors. >+2008-12-03 Dean McNamee <deanm@chromium.org> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Initialize m_haveParsedCacheControlHeader and m_haveParsedPragmaHeader. >+ >+ * platform/network/ResourceResponseBase.h: >+ (WebCore::ResourceResponseBase::ResourceResponseBase): Please include a reference to this bug in the ChangeLog entry before landing the patch. Otherwise, looks good. Thanks for finding this! r=me 101192 3 25709 deanm 2008-12-03 06:38:12 -0800 Created attachment 25709 Added bug reference 101194 4 deanm 2008-12-03 06:41:34 -0800 Added a reference to the bug. I don't have commit access, so if you could commit it for me that'd be great. Thanks! 101197 5 ddkilzer 2008-12-03 07:02:03 -0800 $ git svn dcommit Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/platform/network/ResourceResponseBase.h Committed r38940 101198 6 ddkilzer 2008-12-03 07:05:32 -0800 http://trac.webkit.org/changeset/38940 25707 2008-12-03 05:17:59 -0800 2008-12-03 06:32:50 -0800 Patch to initialize the variables in the contructors. z.diff text/plain 1256 deanm ZGlmZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXgg M2U1YmM5Ny4uZTViYjllYiAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2Vi Q29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxMiBAQAorMjAwOC0xMi0wMyAgRGVhbiBNY05hbWVl ICA8ZGVhbm1AY2hyb21pdW0ub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09Q UyEpLgorCisgICAgICAgIEluaXRpYWxpemUgbV9oYXZlUGFyc2VkQ2FjaGVDb250cm9sSGVhZGVy IGFuZCBtX2hhdmVQYXJzZWRQcmFnbWFIZWFkZXIuCisKKyAgICAgICAgKiBwbGF0Zm9ybS9uZXR3 b3JrL1Jlc291cmNlUmVzcG9uc2VCYXNlLmg6CisgICAgICAgIChXZWJDb3JlOjpSZXNvdXJjZVJl c3BvbnNlQmFzZTo6UmVzb3VyY2VSZXNwb25zZUJhc2UpOgorCiAyMDA4LTEyLTAzICBBbnR0aSBL b2l2aXN0byAgPGFudHRpQGFwcGxlLmNvbT4KIAogICAgICAgICBQcm9iYWJsZSBidWlsZCBmaXgu CmRpZmYgLS1naXQgYS9XZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsvUmVzb3VyY2VSZXNwb25zZUJh c2UuaCBiL1dlYkNvcmUvcGxhdGZvcm0vbmV0d29yay9SZXNvdXJjZVJlc3BvbnNlQmFzZS5oCmlu ZGV4IDNkZTFhMmYuLmI4MzEzZTcgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvcGxhdGZvcm0vbmV0d29y ay9SZXNvdXJjZVJlc3BvbnNlQmFzZS5oCisrKyBiL1dlYkNvcmUvcGxhdGZvcm0vbmV0d29yay9S ZXNvdXJjZVJlc3BvbnNlQmFzZS5oCkBAIC05MSw2ICs5MSw4IEBAIGNsYXNzIFJlc291cmNlUmVz cG9uc2VCYXNlIHsKICAgICAgICAgLCBtX2V4cGlyYXRpb25EYXRlKDApCiAgICAgICAgICwgbV9s YXN0TW9kaWZpZWREYXRlKDApCiAgICAgICAgICwgbV9pc051bGwodHJ1ZSkKKyAgICAgICAgLCBt X2hhdmVQYXJzZWRDYWNoZUNvbnRyb2xIZWFkZXIoZmFsc2UpCisgICAgICAgICwgbV9oYXZlUGFy c2VkUHJhZ21hSGVhZGVyKGZhbHNlKQogICAgIHsKICAgICB9CiAKQEAgLTEwNCw2ICsxMDYsOCBA QCBjbGFzcyBSZXNvdXJjZVJlc3BvbnNlQmFzZSB7CiAgICAgICAgICwgbV9leHBpcmF0aW9uRGF0 ZSgwKQogICAgICAgICAsIG1fbGFzdE1vZGlmaWVkRGF0ZSgwKQogICAgICAgICAsIG1faXNOdWxs KGZhbHNlKQorICAgICAgICAsIG1faGF2ZVBhcnNlZENhY2hlQ29udHJvbEhlYWRlcihmYWxzZSkK KyAgICAgICAgLCBtX2hhdmVQYXJzZWRQcmFnbWFIZWFkZXIoZmFsc2UpCiAgICAgewogICAgIH0K IAo= 25709 2008-12-03 06:38:12 -0800 2008-12-03 06:38:12 -0800 Added bug reference z.diff text/plain 1311 deanm ZGlmZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXgg M2U1YmM5Ny4uOGM1YzhmNSAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2Vi Q29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxMyBAQAorMjAwOC0xMi0wMyAgRGVhbiBNY05hbWVl ICA8ZGVhbm1AY2hyb21pdW0ub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09Q UyEpLgorCisgICAgICAgIEluaXRpYWxpemUgbV9oYXZlUGFyc2VkQ2FjaGVDb250cm9sSGVhZGVy IGFuZCBtX2hhdmVQYXJzZWRQcmFnbWFIZWFkZXIuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMjYyMworCisgICAgICAgICogcGxhdGZvcm0vbmV0d29y ay9SZXNvdXJjZVJlc3BvbnNlQmFzZS5oOgorICAgICAgICAoV2ViQ29yZTo6UmVzb3VyY2VSZXNw b25zZUJhc2U6OlJlc291cmNlUmVzcG9uc2VCYXNlKToKKwogMjAwOC0xMi0wMyAgQW50dGkgS29p dmlzdG8gIDxhbnR0aUBhcHBsZS5jb20+CiAKICAgICAgICAgUHJvYmFibGUgYnVpbGQgZml4Lgpk aWZmIC0tZ2l0IGEvV2ViQ29yZS9wbGF0Zm9ybS9uZXR3b3JrL1Jlc291cmNlUmVzcG9uc2VCYXNl LmggYi9XZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsvUmVzb3VyY2VSZXNwb25zZUJhc2UuaAppbmRl eCAzZGUxYTJmLi5iODMxM2U3IDEwMDY0NAotLS0gYS9XZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsv UmVzb3VyY2VSZXNwb25zZUJhc2UuaAorKysgYi9XZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsvUmVz b3VyY2VSZXNwb25zZUJhc2UuaApAQCAtOTEsNiArOTEsOCBAQCBjbGFzcyBSZXNvdXJjZVJlc3Bv bnNlQmFzZSB7CiAgICAgICAgICwgbV9leHBpcmF0aW9uRGF0ZSgwKQogICAgICAgICAsIG1fbGFz dE1vZGlmaWVkRGF0ZSgwKQogICAgICAgICAsIG1faXNOdWxsKHRydWUpCisgICAgICAgICwgbV9o YXZlUGFyc2VkQ2FjaGVDb250cm9sSGVhZGVyKGZhbHNlKQorICAgICAgICAsIG1faGF2ZVBhcnNl ZFByYWdtYUhlYWRlcihmYWxzZSkKICAgICB7CiAgICAgfQogCkBAIC0xMDQsNiArMTA2LDggQEAg Y2xhc3MgUmVzb3VyY2VSZXNwb25zZUJhc2UgewogICAgICAgICAsIG1fZXhwaXJhdGlvbkRhdGUo MCkKICAgICAgICAgLCBtX2xhc3RNb2RpZmllZERhdGUoMCkKICAgICAgICAgLCBtX2lzTnVsbChm YWxzZSkKKyAgICAgICAgLCBtX2hhdmVQYXJzZWRDYWNoZUNvbnRyb2xIZWFkZXIoZmFsc2UpCisg ICAgICAgICwgbV9oYXZlUGFyc2VkUHJhZ21hSGVhZGVyKGZhbHNlKQogICAgIHsKICAgICB9CiAK