[Webkit-unassigned] [Bug 27016] New: Interpreter crashes due to invalid array indexes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 6 18:01:06 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=27016
Summary: Interpreter crashes due to invalid array indexes
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Linux
Status: NEW
Severity: Major
Priority: P1
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: zack at kde.org
In gcc 4.3.3 when array subscripts are expressions which contain a mix of
signed and unsigned operands the result will be unsigned. It's a cause of
crashes in the interpreter. The attached patch fixes the crashes but it's
possible that there are other codepaths which are similarly broken.
A simple testcase to see if you can reproduce it with the compiler of your
choice is:
#define CRASH 0
int array[] = { -50, -40, -30, -20, -10, 0, 10, 20, 30, 40, 50 };
int main(int argc, char **)
{
int *ptr = array + 5;
unsigned i = argc;
int k = 3 * i;
#if CRASH
int num = ptr[i - k];
#else
int num = ptr[(int)(i - k)];
#endif
fprintf(stderr, "num is %d\n", num);
}
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list