Summary: | WebBackForwardList::back/ForwardListWithLimit() crashes if passed a limit larger than max int | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | John Sullivan <sullivan> | ||||
Component: | WebKit2 | Assignee: | John Sullivan <sullivan> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | aroben | ||||
Priority: | P2 | ||||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Attachments: |
|
Description
John Sullivan
2010-07-29 12:36:24 PDT
Created attachment 62989 [details]
Patch to cast to unsigned rather than int, to avoid wrapping
Comment on attachment 62989 [details] Patch to cast to unsigned rather than int, to avoid wrapping > - unsigned size = std::min(backListCount(), static_cast<int>(limit)); > + unsigned size = std::min(static_cast<unsigned>(backListCount()), limit); Why does backListCount return an int? Seems like it should return unsigned. I agree that backForwardCount() should not return an int. Probably all of these functions should deal with size_t's. But I didn't want to get into that territory for this fix. Checked in as http://trac.webkit.org/changeset/64306 I filed a bug about the inconsistent use of types in this area: <https://bugs.webkit.org/show_bug.cgi?id=43214> |