[Webkit-unassigned] [Bug 200438] New: Undefined behavior in Vector::append
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Aug 5 10:00:00 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=200438
Bug ID: 200438
Summary: Undefined behavior in Vector::append
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: Web Template Framework
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at gnome.org
Blocks: 104114
I believe Coverity has discovered some undefined behavior here:
template<typename T, size_t inlineCapacity, typename OverflowHandler, size_t minCapacity>
template<typename U>
ALWAYS_INLINE void Vector<T, inlineCapacity, OverflowHandler, minCapacity>::append(const U* data, size_t dataSize)
{
size_t newSize = m_size + dataSize;
if (newSize > capacity()) {
data = expandCapacity(newSize, data);
ASSERT(begin());
}
if (newSize < m_size)
CRASH();
asanBufferSizeWillChangeTo(newSize);
T* dest = end();
VectorCopier<std::is_trivial<T>::value, U>::uninitializedCopy(data, std::addressof(data[dataSize]), dest);
m_size = newSize;
}
The full report here is a bit complicated, but I believe the crux of the problem is std::addressof(data[dataSize]). data[dataSize] is, of course, one element past the end of the array. Per https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91357, I understand that's already UB, and applying std::addressof after UB occurs doesn't make it OK (even though it apparently works with today's compilers).
I think it could be fixed by changing VectorCopy::uninitializedCopy to take a count indicating how much to copy and pass that directly to memcpy, rather than accepting the end pointer const T* srcEnd.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190805/82891cad/attachment-0001.html>
More information about the webkit-unassigned
mailing list