Bug 22772 - Reads on uninitialised memory in CSS parser
Summary: Reads on uninitialised memory in CSS parser
Status: RESOLVED DUPLICATE of bug 30347
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-09 17:07 PST by Adam Langley
Modified: 2009-10-15 16:55 PDT (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Langley 2008-12-09 17:07:24 PST
This issue is WebKit/WebCore/css/CSSParser.cpp:405

bool CSSParser::validUnit(CSSParserValue* value, Units unitflags, bool strict)
{
   if (unitflags & FNonNeg && value->fValue < 0)
       return false;

   bool b = false;

Not all bytes of value->fValue are valid. The problem happens when
some CSS property is a function rather than a value. In this specific
case it's the width of something. (I'm not claiming that this is valid
CSS, but it happens on nytimes.com).

value->fValue is a member of a union:

WebKit/WebCore/css/CSSParserValue.h:

struct CSSParserValue {
   int id;
   bool isInt;
   union {
       double fValue;
       int iValue;
       CSSParserString string;
       CSSParserFunction* function;
   };
   enum {
       Operator = 0x100000,
       Function = 0x100001,
       Q_EMS    = 0x100002
   };
   int unit;

   bool isVariable() const;

   PassRefPtr<CSSValue> createCSSValue();
};

Since it's a function, ->function is set, but that's only a 32-bit
value on many platforms. However, the FNonNeg tests fValue, an 8-byte double, so
only half the bytes are valid. It turns out that it doesn't matter
because a CSSParserValue of type function will always end up returning
false later in the function. However, it might be a surprise for
someone down the road.

I think the best solution is probably to write a constructor for
CSSParserValue which initialises the members, although I really don't
know the code very well.
Comment 1 Alexey Proskuryakov 2009-05-15 02:33:36 PDT
See also: bug 25812.
Comment 2 Matt Mueller 2009-10-15 16:51:07 PDT
Should be fixed by bug 30347, if you could verify.
Comment 3 Adam Langley 2009-10-15 16:55:28 PDT

*** This bug has been marked as a duplicate of bug 30347 ***