[Webkit-unassigned] [Bug 29026] New: CRASH: fastRealloc crashes on realloc(ptr, 0)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 8 02:14:30 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=29026
Summary: CRASH: fastRealloc crashes on realloc(ptr, 0)
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: NEW
Severity: Normal
Priority: P2
Component: Web Template Framework
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: mike at belshe.com
The standard for realloc(ptr, 0) is that it should return NULL and free the
ptr.
In our implementation, this will crash.
This was discovered because I found a case in WebKit which attempts to
realloc(ptr, 0):
WTF::fastRealloc+0x10
WebCore::HTMLTokenizer::enlargeScriptBuffer+0x41
WebCore::HTMLTokenizer::parseComment+0x2a
WebCore::HTMLTokenizer::parseTag+0x1141
WebCore::HTMLTokenizer::write+0x414
WebCore::FrameLoader::write+0x36b
WebCore::FrameLoader::addData+0x12
To get here, we have to read data input off the socket which contains a partial
page ending with "<!--". It's a little hard to reproduce.
I believe the fixed code should look something like this (simply adding a check
for n > 0 before calling CRASH):
void* fastRealloc(void* p, size_t n)
{
ASSERT(!isForbidden());
#if ENABLE(FAST_MALLOC_MATCH_VALIDATION)
TryMallocReturnValue returnValue = tryFastRealloc(p, n);
void* result;
returnValue.getValue(result);
#else
void* result = realloc(p, n);
#endif
// Crash if the result is NULL and the size requested was greater
// than zero. realloc(p, 0) returns NULL intentionally.
if (!result && n > 0)
CRASH();
return result;
}
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list