235931 – [libpas] get_num_free_bytes_for_each_heap_callback() is called with `arg` pointing to uninitialized stack memory

RESOLVED FIXED 235931

[libpas] get_num_free_bytes_for_each_heap_callback() is called with `arg` pointing to uninitialized stack memory

https://bugs.webkit.org/show_bug.cgi?id=235931

Summary [libpas] get_num_free_bytes_for_each_heap_callback() is called with `arg` poi...

David Kilzer (:ddkilzer)

Reported 2022-01-31 17:26:34 PST

In libpas, get_num_free_bytes_for_each_heap_callback() is called with `arg` pointing to uninitialized stack memory. pas_all_heaps_get_num_free_bytes() is called and doesn't initialize `result` on the stack, then calls the following functions with a pointer to `result`: - pas_all_heaps_for_each_heap(), - pas_all_heaps_for_each_static_heap(), - callback() / get_num_free_bytes_for_each_heap_callback(). Found by clang static analyzer.

Attachments
Patch v1 (1.51 KB, patch) 2022-01-31 17:28 PST, David Kilzer (:ddkilzer)	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-01-31 17:26:59 PST

<rdar://problem/88303899>

David Kilzer (:ddkilzer)

Comment 2 2022-01-31 17:28:47 PST

Created attachment 450482 [details] Patch v1

Yusuke Suzuki

Comment 3 2022-01-31 17:43:08 PST

Comment on attachment 450482 [details] Patch v1 r=me

EWS

Comment 4 2022-01-31 20:33:58 PST

Committed r288866 (246618@main): <https://commits.webkit.org/246618@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450482 [details].

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component bmalloc

Assignee

David Kilzer (:ddkilzer)

Reported

2022-01-31 17:26 PST

Modified

2022-01-31 20:34 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks