[Webkit-unassigned] [Bug 14853] New: Incorrect implementation of ArrayImpl's equality operator

Wed Aug 1 12:04:03 PDT 2007

http://bugs.webkit.org/show_bug.cgi?id=14853

           Summary: Incorrect implementation of ArrayImpl's equality
                    operator
           Product: WebKit
           Version: 312.x
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Minor
          Priority: P3
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rick at writhe.org.uk

The ArrayImpl class (as defined in WebCore/platform/ArrayImpl.{h,cpp}) has a
typo in it's equality operator which could lead to an incorrect equality test
and also a buffer overrun (and therefore a potential crash).

The fix is a trivial change to one line of code. The erroneous code contains
the test:
        d->itemSize == d->itemSize
which should be:
        d->itemSize == a.d->itemSize

In practice, the bug will probably never be seen as the only (current) use of
the ArrayImpl class is by DeprecatedArray (and it's subclass
DeprecatedCString). This means that the value of itemSize will always be
sizeof(char) (i.e. 1) for both objects being compared and the equality test
will work correctly.

On the other hand, this bug appears in the exact same form in much older
versions of ArrayImpl. In particular, the existing code has been copied from
WebCore/kwq/KWQArrayImpl.cpp (which was copied from
WebCore/kwq/KWQArrayImpl.mm).

I didn't dig too deep but previous versions of WebKit may have additional
dependencies on these older classes and cases where itemSize is different. This
bug may therefore be more serious in older versions of WebKit.

-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.