Bug 12559 - REGRESSION: Crash in checkForHeadCharset() under GuardMalloc
Summary: REGRESSION: Crash in checkForHeadCharset() under GuardMalloc
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Critical
Assignee: Alexey Proskuryakov
Keywords: Regression
Depends on:
Reported: 2007-02-03 07:39 PST by Alexey Proskuryakov
Modified: 2007-02-03 12:24 PST (History)
2 users (show)

See Also:

proposed fix (3.70 KB, patch)
2007-02-03 07:47 PST, Alexey Proskuryakov
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2007-02-03 07:39:02 PST
run-webkit-tests fast/events/event-targets.html --guard-malloc

This happens because the test for end of buffer is incorrect - it is not actually null terminated. Same problem is present elsewhere in this function, and I'm not sure if the code was buggy from the beginning, or some refactoring rendered it wrong.
Comment 1 Alexey Proskuryakov 2007-02-03 07:47:05 PST
Created attachment 12900 [details]
proposed fix
Comment 2 Sam Weinig 2007-02-03 08:24:21 PST
Small style snafu, a double space snuck in between the < and the pEnd.

-    while (ptr != pEnd) {
+    while (ptr + 7 <  pEnd) { // +7 guarantees that "<!--" and "<?xml" fit in the buffer - and certainly we aren't going to lose any "charset" that way.

Comment 3 Darin Adler 2007-02-03 12:04:38 PST
Comment on attachment 12900 [details]
proposed fix

Comment 4 Alexey Proskuryakov 2007-02-03 12:24:27 PST
Committed revision 19387.