Bug 27453

Summary: Uninitialized variable in WebCore::CSSFunctionValue::parserValue
Product: WebKit Reporter: James Hawkins <jhawkins>
Component: CSSAssignee: David Levin <levin>
Status: RESOLVED FIXED    
Severity: Normal CC: hyatt, levin
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: All   
Attachments:
Description Flags
Patch which initializes a variable
none
removed tabs from Changelog hyatt: review+

James Hawkins
Reported 2009-07-20 11:59:41 PDT
WebCore::CSSFunctionValue::parserValue creates a CSSParserValue for a function, but doesn't initialize isInt (which obviously should be false). I will attach a patch shortly.
Attachments
Patch which initializes a variable (1.09 KB, patch)
2009-07-20 12:02 PDT, James Hawkins 		no flags
DetailsFormatted DiffDiff
removed tabs from Changelog (1.11 KB, patch)
2009-07-20 12:16 PDT, James Hawkins 		hyatt: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
James Hawkins
Comment 1 2009-07-20 12:02:40 PDT
Created attachment 33097 [details] Patch which initializes a variable
James Hawkins
Comment 2 2009-07-20 12:16:03 PDT
Created attachment 33099 [details] removed tabs from Changelog
Dave Hyatt
Comment 3 2009-07-20 13:53:49 PDT
Comment on attachment 33099 [details] removed tabs from Changelog Test case?
James Hawkins
Comment 4 2009-07-20 14:31:39 PDT
Currently the only code that checks isInt will short-circuit on a check for CSSPrimitiveValue::CSS_NUMBER or (unitFlags & FInteger). CSSParser.cpp 419: if (!b && (unitflags & FInteger) && value->isInt) CSSParserValues.cpp 64: else if (unit == CSSPrimitiveValue::CSS_NUMBER && isInt) With that being said, I don't think I can write a test case that will fail before the change and succeed with the patch applied. Regardless, code added in the future could depend on the value of isInt alone, which could be set to garbage if left uninitialized.
Dave Hyatt
Comment 5 2009-07-20 15:30:09 PDT
Comment on attachment 33099 [details] removed tabs from Changelog Ok, sounds fine.
David Levin
Comment 6 2009-07-21 11:23:48 PDT
Assigned to levin for landing
David Levin
Comment 7 2009-07-21 12:20:36 PDT
Committed as http://trac.webkit.org/changeset/46186
Note You need to log in before you can comment on or make changes to this bug.