[Webkit-unassigned] [Bug 47382] New: Blob / BlobBuilder can be put into bad state with wild integers and strings
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 7 15:38:59 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=47382
Summary: Blob / BlobBuilder can be put into bad state with wild
integers and strings
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: cevans at google.com
For example:
var bb = new BlobBuilder();
var s= '';
var i = 0;
for (; i < 2000; ++i) s += 'A';
bb.append(s);
b = bb.getBlob();
slice = b.slice(1999, 9223372036854775000);
This leaves "slice" with a crazy large "size" which is clearly incorrect. I haven't managed to abuse these broken objects to cause any crashing, but I'm going to fix it to be safe.
Patch forthcoming.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list