[Webkit-unassigned] [Bug 31475] New: Crash in StringHash::equal due to unaligned string data

Fri Nov 13 09:02:46 PST 2009

https://bugs.webkit.org/show_bug.cgi?id=31475

           Summary: Crash in StringHash::equal due to unaligned string
                    data
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Critical
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: yong.li.webkit at gmail.com
                CC: jmason at rim.com

We've found a cash on espn.go.com. The reason is:

1. StringHash::equal assumes String::characters() is aligned to 4-byte
boundary.

2. When PassRefPtr<StringImpl> StringImpl::create(const JSC::UString& str) uses
shared buffer with UString, m_data is not guaranteed to be 4-byte aligned.
because UString::Rep::data() can point to any offset of the internal buffer.

The solution that Dave Tapuska suggests is: When UString::data() is not aligned
to 4-byte, we just don't use the shared buffer.

Anyone please give some comments?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.