Bug 79135

Summary: equalIgnoringNullity() only comparing half the bytes for equality
Product: WebKit Reporter: Thomas Sepez <tsepez>
Component: WebCore Misc.Assignee: Thomas Sepez <tsepez>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch plus change to make test flunk without the patch. none

Thomas Sepez
Reported 2012-02-21 11:49:58 PST
In WebKit/Source/JavaScriptCore/wtf/text/StringImpl.h:731 template<size_t inlineCapacity> bool equalIgnoringNullity(const Vector<UChar, inlineCapacity>& a, StringImpl* b) { if (!b) return !a.size(); if (a.size() != b->length()) return false; return !memcmp(a.data(), b->characters(), b->length()); } Which will memcmp() exactly half the bytes since sizeof UChar is 2. This only gets called from XSSAuditor, and owing to absence of unit tests, the way to test this is via an XSSAuditor test.
Attachments
Patch plus change to make test flunk without the patch. (2.53 KB, patch)
2012-02-21 13:06 PST, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Thomas Sepez
Comment 1 2012-02-21 13:06:29 PST
Created attachment 128029 [details] Patch plus change to make test flunk without the patch.
Adam Barth
Comment 2 2012-02-21 13:21:06 PST
Did you look at other uses of memcmp in that file to make sure they were ok ?
Thomas Sepez
Comment 3 2012-02-21 13:43:31 PST
Just checked that its the only use in the .h, and in the .cpp, the two uses multiply by the size of the templated chartype.
WebKit Review Bot
Comment 4 2012-02-21 16:19:11 PST
Comment on attachment 128029 [details] Patch plus change to make test flunk without the patch. Clearing flags on attachment: 128029 Committed r108412: <http://trac.webkit.org/changeset/108412>
WebKit Review Bot
Comment 5 2012-02-21 16:19:16 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.