Bug 82411

Summary: [Chromium] Uninitialized access in SimpleFontDataSkia::platformInit()
Product: WebKit Reporter: Kenichi Ishibashi <bashi>
Component: PlatformAssignee: Kenichi Ishibashi <bashi>
Status: RESOLVED FIXED    
Severity: Normal CC: tkent, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://crbug.com/76378
Attachments:
Description Flags
Patch
none
Patch for landing none

Description Kenichi Ishibashi 2012-03-27 18:43:09 PDT 
From http://crbug.com/76378

Conditional jump or move depends on uninitialised value(s)                                                                                                                                          
   at 0x16AEFEF: WebCore::SimpleFontData::platformInit() (third_party/WebKit/Source/WebCore/platform/graphics/SimpleFontData.h:312)                                                                 
   by 0x169AC95: WebCore::SimpleFontData::SimpleFontData(WebCore::FontPlatformData const&, bool, bool, bool) (third_party/WebKit/Source/WebCore/platform/graphics/SimpleFontData.cpp:61)

This implies that platformInit() calls widthForGlyph(), in which we compared the argument with m_zeroWidthSpaceGlyph, which isn't initialized yet.
Comment 1 Kenichi Ishibashi 2012-03-27 18:44:58 PDT 
Created attachment 134194 [details]
Patch
Comment 2 Kenichi Ishibashi 2012-03-27 18:45:52 PDT 
Kent-san, could you take a look?
Comment 3 Kent Tamura 2012-03-27 19:04:48 PDT 
Comment on attachment 134194 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=134194&action=review

> Source/WebCore/ChangeLog:12
> +        [Chromium] Uninitialized access in SimpleFontDataSkia::platformInit
> +        https://bugs.webkit.org/show_bug.cgi?id=82411
> +
> +        SimpleFontDataSkia::platformInit() could call widthForGlyph(), which
> +        accesses m_zeroWidthSpaceGlyph. This causes a valgrind memcheck error
> +        because m_zeroWidthSpaceGlyph isn't initialized at this point.
> +        Initialize m_zeroWidthSpaceGlyph with zero so that widthForGlyph() can
> +        return appropriate value(The value zero here means "unknown glyph").
> +
> +        Reviewed by NOBODY (OOPS!).

Usual order is:

  <summary>
  <bug URL>

  Reviewd by ...

  <Detail>
Comment 4 Kenichi Ishibashi 2012-03-27 19:06:38 PDT 
Created attachment 134200 [details]
Patch for landing
Comment 5 Kenichi Ishibashi 2012-03-27 19:07:52 PDT 
Comment on attachment 134194 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=134194&action=review

Thanks!

>> Source/WebCore/ChangeLog:12
>> +        Reviewed by NOBODY (OOPS!).
> 
> Usual order is:
> 
>   <summary>
>   <bug URL>
> 
>   Reviewd by ...
> 
>   <Detail>

Done.
Comment 6 WebKit Review Bot 2012-03-27 19:42:23 PDT 
Comment on attachment 134200 [details]
Patch for landing

Clearing flags on attachment: 134200

Committed r112357: <http://trac.webkit.org/changeset/112357>
Comment 7 WebKit Review Bot 2012-03-27 19:42:27 PDT 
All reviewed patches have been landed.  Closing bug.