[webkit-reviews] review denied: [Bug 61053] Using NULL bytes when setting innerHTML in xhtml ASSERT and NULL ptr : [Attachment 96263] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 7 11:37:41 PDT 2011
Darin Adler <darin at apple.com> has denied Jeffrey Pfau <jeffrey at endrift.com>'s
request for review:
Bug 61053: Using NULL bytes when setting innerHTML in xhtml ASSERT and NULL ptr
https://bugs.webkit.org/show_bug.cgi?id=61053
Attachment 96263: Patch
https://bugs.webkit.org/attachment.cgi?id=96263&action=review
------- Additional Comments from Darin Adler <darin at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=96263&action=review
> Source/WebCore/dom/XMLDocumentParserLibxml2.cpp:1446
> - initializeParserContext(chunkAsUtf8.data());
> + initializeParserContext(chunkAsUtf8.data(), chunkAsUtf8.length());
It’s not safe to pass a value that’s a size_t to a function that takes an int.
This is especially true on 64-bit systems where size_t is a 64-bit unsigned
integer and int is a 32-bit signed integer. Large lengths can turn into
negative numbers or even zeros and cause problems such as security
vulnerabilities.
The type size_t needs to be used throughout, or we need something here to
explicitly check that the size fits into an int.
More information about the webkit-reviews
mailing list