RESOLVED FIXED 25812
Uninitialized varilable referenced while parsing CSS 
https://bugs.webkit.org/show_bug.cgi?id=25812
Summary Uninitialized varilable referenced while parsing CSS
Rahul Kuchhal
Reported 2009-05-14 16:44:37 PDT
Debug Safari while opening LayoutTests/fast/canvas/canvas-gradient-addStop-error.html. CSSParserValueList::addValue(const CSSParserValue& v) gets called by cssyparse several times: void CSSParserValueList::addValue(const CSSParserValue& v) { if (v.unit == CSSPrimitiveValue::CSS_PARSER_VARIABLE_FUNCTION_SYNTAX) m_variablesCount++; m_values.append(v); } But looks like in many of these cases v.unit is not really initialized and holds junk value. For example in one instance of such call: - v {id=0 isInt=true fValue=-9.2559592782649444e+061 ...} const WebCore::CSSParserValue & id 0 int isInt true bool fValue -9.2559592782649444e+061 double iValue 58260512 int + string {characters=0x0378fc20 "??" length=-858993460 } WebCore::CSSParserString + function 0x0378fc20 {name={...} args=0x061a0d20 } WebCore::CSSParserFunction * unit 1048577 int Same problem is in CSSParserValueList::~CSSParserValueList() too. It tries to read unit of all m_values when some of them have junk values for unit.
Attachments
Add attachment proposed patch, testcase, etc.
Dan Kegel
Comment 1 2009-05-14 17:10:51 PDT
Originally found on Linux, see http://code.google.com/p/chromium/issues/detail?id=9524, but probably also on other systems.
Alexey Proskuryakov
Comment 2 2009-05-15 02:33:27 PDT
See also: bug 22772.
Matt Mueller
Comment 3 2009-11-24 17:40:59 PST
I can't repro this now, and inspecting the CSSGrammar.y file it appears all "value" rules set the unit member. I believe it was fixed with http://trac.webkit.org/changeset/44075 (2009-05-22)
Note You need to log in before you can comment on or make changes to this bug.