Summary: | Signed arithmetic bug in dataTransfer32 | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Gabor Loki <loki> | ||||
Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | webkit.review.bot, zherczeg | ||||
Priority: | P2 | ||||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | Other | ||||||
OS: | All | ||||||
Attachments: |
|
Description
Gabor Loki
2011-07-11 02:24:32 PDT
Created attachment 100257 [details]
Signed arithmetic bug in dataTransfer32
Comment on attachment 100257 [details]
Signed arithmetic bug in dataTransfer32
Nice catch.
Comment on attachment 100257 [details] Signed arithmetic bug in dataTransfer32 Clearing flags on attachment: 100257 Committed r90731: <http://trac.webkit.org/changeset/90731> All reviewed patches have been landed. Closing bug. Regression test? (In reply to comment #5) > Regression test? Seemed impossible. 0x80000000 (INT_MIN) is too big offset on a 32 bit machine. This is a "theoretical" bug. |