[Webkit-unassigned] [Bug 12458] Crash in W3C-SVG-1.1/animate-elem-09-t.svg running layout tests under guard malloc
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 29 06:14:17 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=12458
bdash at webkit.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
------- Comment #1 from bdash at webkit.org 2007-01-29 06:14 PDT -------
The problem here is:
while (ptr < end && *ptr != ';') // careful not to ignore whitespace
inside values
ptr++;
if (ptr == valueStart)
break;
// walk backwards from the ; to ignore any whitespace
const UChar* valueEnd = ptr;
while (valueStart < valueEnd && isWhitespace(*valueEnd))
valueEnd--;
When the first loop hits the end of the string, ptr will equal end. This leads
to *valueEnd attempting to access one element past the end of the buffer.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list