Bug 12559

Summary: REGRESSION: Crash in checkForHeadCharset() under GuardMalloc
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: Page LoadingAssignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Critical CC: mitz, mrowe
Priority: P1 Keywords: Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
proposed fix darin: review+

Alexey Proskuryakov
Reported 2007-02-03 07:39:02 PST
run-webkit-tests fast/events/event-targets.html --guard-malloc This happens because the test for end of buffer is incorrect - it is not actually null terminated. Same problem is present elsewhere in this function, and I'm not sure if the code was buggy from the beginning, or some refactoring rendered it wrong.
Attachments
proposed fix (3.70 KB, patch)
2007-02-03 07:47 PST, Alexey Proskuryakov 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2007-02-03 07:47:05 PST
Created attachment 12900 [details] proposed fix
Sam Weinig
Comment 2 2007-02-03 08:24:21 PST
Small style snafu, a double space snuck in between the < and the pEnd. - while (ptr != pEnd) { + while (ptr + 7 < pEnd) { // +7 guarantees that "<!--" and "<?xml" fit in the buffer - and certainly we aren't going to lose any "charset" that way.
Darin Adler
Comment 3 2007-02-03 12:04:38 PST
Comment on attachment 12900 [details] proposed fix r=me
Alexey Proskuryakov
Comment 4 2007-02-03 12:24:27 PST
Committed revision 19387.
Note You need to log in before you can comment on or make changes to this bug.