[Webkit-unassigned] [Bug 48308] Too precise serialization from floating point number to string for "number" input elements
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 28 09:01:19 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=48308
--- Comment #5 from Simon Fraser (smfr) <simon.fraser at apple.com> 2010-10-28 09:01:18 PST ---
(From update of attachment 72189)
View in context: https://bugs.webkit.org/attachment.cgi?id=72189&action=review
> WebCore/html/parser/HTMLParserIdioms.cpp:70
> NumberToStringBuffer buffer;
> - unsigned length = numberToString(number, buffer);
> + // Round the result with 9 significant digits.
> + // 9 because of the significant digits of IEEE 754 single-precision numbers.
> + // They have 23 fraction bits, then 2^24 = 16,677,216.
> + // +1 to be safe in case of re-parsing required.
> + // Another reason for 9 is to follow the example in HTML5 4.10.7.2.10.
> + // <input name=opacity type=range min=0 max=1 step=0.00392156863>
> + unsigned length = numberToString(number, buffer, 9);
Isn't there a potential buffer overflow here (in the old code, as well as yours)? See
http://trac.webkit.org/changeset/70198
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list