[Webkit-unassigned] [Bug 25812] New: Uninitialized varilable referenced while parsing CSS
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 14 16:44:37 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=25812
Summary: Uninitialized varilable referenced while parsing CSS
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
URL: LayoutTests/fast/canvas/canvas-gradient-addStop-
error.html
OS/Version: Windows XP
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: CSS
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: kuchhal at yahoo.com
Debug Safari while opening
LayoutTests/fast/canvas/canvas-gradient-addStop-error.html.
CSSParserValueList::addValue(const CSSParserValue& v) gets called by cssyparse
several times:
void CSSParserValueList::addValue(const CSSParserValue& v)
{
if (v.unit == CSSPrimitiveValue::CSS_PARSER_VARIABLE_FUNCTION_SYNTAX)
m_variablesCount++;
m_values.append(v);
}
But looks like in many of these cases v.unit is not really initialized and
holds junk value. For example in one instance of such call:
- v {id=0 isInt=true fValue=-9.2559592782649444e+061 ...}
const WebCore::CSSParserValue &
id 0 int
isInt true bool
fValue -9.2559592782649444e+061 double
iValue 58260512 int
+ string {characters=0x0378fc20 "??�" length=-858993460 }
WebCore::CSSParserString
+ function 0x0378fc20 {name={...} args=0x061a0d20 }
WebCore::CSSParserFunction *
unit 1048577 int
Same problem is in CSSParserValueList::~CSSParserValueList() too. It tries to
read unit of all m_values when some of them have junk values for unit.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list