Bug 22623

Summary: Uninitialized memory access in cache parsing code
Product: WebKit Reporter: Dean McNamee <deanm>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ddkilzer, koivisto
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Patch to initialize the variables in the contructors.
ddkilzer: review+
Added bug reference none

Description Dean McNamee 2008-12-03 05:13:02 PST 
http://trac.webkit.org/changeset/38145
https://bugs.webkit.org/show_bug.cgi?id=21596

This patch added two additional fields:

 	129	    mutable bool m_haveParsedCacheControlHeader:1; 
 	130	    mutable bool m_haveParsedPragmaHeader:1; 

These are not initialized anywhere.  They should likely both be set to false in the constructor above.  This is causing undefined behavior, it can lead to the code thinking we have already parsed the cache control header (and returning the already parsed value), when we actually have no parsed anything.
Comment 1 Dean McNamee 2008-12-03 05:17:59 PST 
Created attachment 25707 [details]
Patch to initialize the variables in the contructors.
Comment 2 David Kilzer (:ddkilzer) 2008-12-03 06:32:50 PST 
Comment on attachment 25707 [details]
Patch to initialize the variables in the contructors.

>+2008-12-03  Dean McNamee  <deanm@chromium.org>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        Initialize m_haveParsedCacheControlHeader and m_haveParsedPragmaHeader.
>+
>+        * platform/network/ResourceResponseBase.h:
>+        (WebCore::ResourceResponseBase::ResourceResponseBase):

Please include a reference to this bug in the ChangeLog entry before landing the patch.

Otherwise, looks good.  Thanks for finding this!  r=me
Comment 3 Dean McNamee 2008-12-03 06:38:12 PST 
Created attachment 25709 [details]
Added bug reference
Comment 4 Dean McNamee 2008-12-03 06:41:34 PST 
Added a reference to the bug.  I don't have commit access, so if you could commit it for me that'd be great.  Thanks!
Comment 5 David Kilzer (:ddkilzer) 2008-12-03 07:02:03 PST 
$ git svn dcommit
Committing to http://svn.webkit.org/repository/webkit/trunk ...
        M       WebCore/ChangeLog
        M       WebCore/platform/network/ResourceResponseBase.h
Committed r38940
Comment 6 David Kilzer (:ddkilzer) 2008-12-03 07:05:32 PST 
http://trac.webkit.org/changeset/38940