Bug 43369

Summary: WebBackForwardList::forwardListAsImmutableArrayWithLimit can return partly-uninitialized array
Product: WebKit Reporter: John Sullivan <sullivan>
Component: WebKit2Assignee: John Sullivan <sullivan>
Status: RESOLVED FIXED    
Severity: Major    
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Compute "last" a simpler way that doesn't have overflow potential. adachan: review+

John Sullivan
Reported 2010-08-02 11:20:36 PDT
WebBackForwardList::forwardListAsImmutableArrayWithLimit() has incorrect math that can result in it returning an array that is only partly (or not at all) filled in. The offending line is this one: unsigned last = std::min(m_current + limit, static_cast<unsigned>(m_entries.size() - 1)); if m_current + limit is larger than numeric_limits<unsigned>::max(), this expression will return the wrong value, and the subsequent for loop can skip filling in data for some array slots.
Attachments
Compute "last" a simpler way that doesn't have overflow potential. (1.38 KB, patch)
2010-08-02 11:23 PDT, John Sullivan 		adachan: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
John Sullivan
Comment 1 2010-08-02 11:23:24 PDT
Created attachment 63242 [details] Compute "last" a simpler way that doesn't have overflow potential.
John Sullivan
Comment 2 2010-08-02 11:41:45 PDT
Fixed in http://trac.webkit.org/changeset/64480
Note You need to log in before you can comment on or make changes to this bug.