[Webkit-unassigned] [Bug 30827] Off-by-one hard-to-trigger memory corruption in CSSParser (seen only with GCC 4.4)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 27 11:54:57 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=30827
--- Comment #6 from Darin Adler <darin at apple.com> 2009-10-27 11:54:57 PDT ---
To get a better understanding of what is going on you should look at the
generated code, tokenizer.cpp, not the source code, tokenizer.flex. And
tokenizer.cpp is included in CSSParser.cpp, which has other code you'll need to
see to understand it.
As I said, the guarantee it won't run off the end of the buffer comes from the
flex-generated state tables, and is not obvious from just reading the code.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list