[Webkit-unassigned] [Bug 29313] New: Fix hard-to-reproduce crash in HTMLTokenizer by avoiding a rare fastRealloc edge case

Wed Sep 16 14:11:32 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=29313

           Summary: Fix hard-to-reproduce crash in HTMLTokenizer by
                    avoiding a rare fastRealloc edge case
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dglazkov at chromium.org
                CC: mike at belshe.com, ap at webkit.org

>From bug 29026:

"
.. I found a case in WebKit which attempts to
realloc(ptr, 0):
WTF::fastRealloc+0x10
WebCore::HTMLTokenizer::enlargeScriptBuffer+0x41
WebCore::HTMLTokenizer::parseComment+0x2a
WebCore::HTMLTokenizer::parseTag+0x1141
WebCore::HTMLTokenizer::write+0x414
WebCore::FrameLoader::write+0x36b
WebCore::FrameLoader::addData+0x12

To get here, we have to read data input off the socket which contains a partial
page ending with "<!--".  It's a little hard to reproduce.
"

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.