[Webkit-unassigned] [Bug 127424] Crashes in setTextForIterator
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jan 22 10:22:03 PST 2014
https://bugs.webkit.org/show_bug.cgi?id=127424
--- Comment #5 from Brent Fulgham <bfulgham at webkit.org> 2014-01-22 10:19:33 PST ---
(In reply to comment #4)
> (In reply to comment #3)
> > (From update of attachment 221864 [details] [details])
> > I'd like better understanding of why we are off by one here. Are some routines expecting the buffer to hold a null termination? I notice that most of the uses of UTextWIthBufferInlineCapacity are actually "UTextWithBufferInlineCapacity + 1" (for memsets, etc.) Is that where the crash was occurring?
>
> No, the crash occurs at the end of setTextForIterator, because runtime checks detects that we have written past a stack variable (UTextWithBuffer textLocal, in setTextForIterator), and damaged the stack.
> It is the memset that writes past the stack variable.
I see. The call to "openLatin1UTextProvider" has the memset, and the memset always writes UTextWithBufferInlineCapacity + 1.
It's unclear if we should be resizing the buffer, or revising the uses of UTextWithBufferInlineCapacity to avoid the additional "+ 1".
For example, if we resize the buffer by one, is this math now wrong? (see UTextProviderLatin1.cpp line 125):
uText->chunkNativeLimit = uText->chunkNativeStart + UTextWithBufferInlineCapacity;
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list