43369 – WebBackForwardList::forwardListAsImmutableArrayWithLimit can return partly-uninitialized array

Bug 43369 - WebBackForwardList::forwardListAsImmutableArrayWithLimit can return partly-uninitialized array

Summary: WebBackForwardList::forwardListAsImmutableArrayWithLimit can return partly-un...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P1 Major
Assignee:	John Sullivan

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-08-02 11:20 PDT by John Sullivan
Modified:	2010-08-02 11:41 PDT (History)
CC List:	0 users

See Also:

Attachments
Compute "last" a simpler way that doesn't have overflow potential. (1.38 KB, patch) 2010-08-02 11:23 PDT, John Sullivan	adachan: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Sullivan 2010-08-02 11:20:36 PDT

WebBackForwardList::forwardListAsImmutableArrayWithLimit() has incorrect math that can result in it returning an array that is only partly (or not at all) filled in.

The offending line is this one:

unsigned last = std::min(m_current + limit, static_cast<unsigned>(m_entries.size() - 1));

if m_current + limit is larger than numeric_limits<unsigned>::max(), this expression will return the wrong value, and the subsequent for loop can skip filling in data for some array slots.

Comment 1 John Sullivan 2010-08-02 11:23:24 PDT

Created attachment 63242 [details]
Compute "last" a simpler way that doesn't have overflow potential.

Comment 2 John Sullivan 2010-08-02 11:41:45 PDT

Fixed in http://trac.webkit.org/changeset/64480