[Webkit-unassigned] [Bug 52791] New: Buffer overrun in WebCore::InspectorBasicValue::writeJSON
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 20 00:54:06 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=52791
Summary: Buffer overrun in
WebCore::InspectorBasicValue::writeJSON
Product: WebKit
Version: 525.x (Safari 3.2)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P1
Component: Web Inspector
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: m.malecki at samsung.com
Mikołaj Małecki <m.malecki at samsung.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #79562| |review?, commit-queue?
Flag| |
Created an attachment (id=79562)
--> (https://bugs.webkit.org/attachment.cgi?id=79562&action=review)
Patch with fix for InspectorBasicValue::writeJSON
WebCore::InspectorBasicValue::writeJSON when type is Number doesn't check whether there is enough room in the string buffer to write the number in decimal format. The DecimalNumber::toStringDecimal(), despite gets the buffer length, doesn't check it when writing to the buffer (the construction of the function doesn't even give such possibility). In result, when getting contents of the global scope and the value of MIN_VALUE, which is 5e-324, this function tries to write 324 zeros in a 96 byte buffer.
With this fix, .::writeJSON calls provided functions that predict required room for given number, and select either decimal format or exponential format, or eventually "NaN" if there's not enough room in the string buffer.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list