[Webkit-unassigned] [Bug 30827] Off-by-one hard-to-trigger memory corruption in CSSParser (seen only with GCC 4.4)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 27 11:51:31 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=30827
Craig Schlenter <craig.schlenter at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |craig.schlenter at gmail.com
--- Comment #5 from Craig Schlenter <craig.schlenter at gmail.com> 2009-10-27 11:51:31 PDT ---
A couple of quick comments:
The valgrind trace shows 2 bytes being overwritten not just 1.
Valgrind also shows a 2 byte read error. So while adding 1 byte might fix it, I
think 2 might be better if we just wanted to paper over the error.
It would be nice to understand why the parsing is overrunning though ... my
reading of the valgrind trace and the code suggests that it should be here:
(from tokenizer.cpp which is autogenerated)
#line 47 "../css/tokenizer.flex"
{yyTok = STRING; return yyTok;}
YY_BREAK
case 15:
/* rule 15 can match eol */
YY_RULE_SETUP
but I'm not seeing anything writing to memory there which is confusing...
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list