Bug 140427

Summary: Correct calculation of 16-bit text iterator decode offsets
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: WebCore Misc.Assignee: Brent Fulgham <bfulgham>
Status: RESOLVED INVALID    
Severity: Normal CC: bfulgham
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch darin: review-

Brent Fulgham
Reported 2015-01-13 20:49:54 PST
The TextCodecUTF8 and TextCodecLatin1 decoding routines have a calculation error in the update to the 'destination16' memory location. This was found by static analysis of the code. The 'destination16' variable (in both files) is a pointer to a 16-bit character value, while the 'source' value is an 8-bit value. We updated the 'source' pointer by incrementing it by the sizeof(MachineWord), which is the number of UTF8 characters we have consumed during the decode. However, the 'destination16' variable is a UChar* (a 16-bit value). If we increment it by the number of bytes, that has the effect of moving us twice the number of 16-bit characters than we should be. We should be incrementing by sizeof(MachineWord) / sizeof(UChar).
Attachments
Patch (2.63 KB, patch)
2015-01-13 20:51 PST, Brent Fulgham 		darin: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2015-01-13 20:51:56 PST
Created attachment 244576 [details] Patch
Brent Fulgham
Comment 2 2015-01-13 20:56:55 PST
I misunderstood what copyASCIIMachineWord was doing here. The sizeof() is the correct thing to be doing, and the Static Analyzer warning is spurious.
Darin Adler
Comment 3 2015-01-14 15:46:51 PST
Comment on attachment 244576 [details] Patch These three fixes look good. Why no regression tests for any of them? Didn’t these bugs cause any symptoms? We normally require regression tests for all bug fixes.
Darin Adler
Comment 4 2015-01-14 15:47:36 PST
Comment on attachment 244576 [details] Patch Oops, as you said, the warning was wrong for the destination16 lines!
Note You need to log in before you can comment on or make changes to this bug.