Closed
Bug 1143130
Opened 9 years ago
Closed 9 years ago
nsTextFrame::GetCharacterOffsetAtFrame returns uninitialized nsIFrame::ContentOffsets
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
mozilla40
People
(Reporter: erahm, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, csectype-uninitialized, sec-other, Whiteboard: [CID 1285939][post-critsmash-triage][adv-main40+])
Attachments
(1 file)
2.81 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
Coverity indicates that |nsTextFrame::GetCharacterOffsetAtFrame| returns an instance of |nsIFrame::ContentOffsets| with unitialized members [1] (offset, secondaryOffset, associate). This is a non-issue if every usage checks |ContentOffsets::content| prior to using other values. I'm not sure if that's the case. Flagging as sec as it's not clear to me where/how these uninitialized values are used. [1] https://hg.mozilla.org/mozilla-central/annotate/11506aaf7064/layout/generic/nsTextFrame.cpp#l6492
Comment 1•9 years ago
|
||
Mats, is this something you could look into? Thanks.
Flags: needinfo?(mats)
Keywords: csectype-uninitialized
Assignee | ||
Comment 2•9 years ago
|
||
Initialize the members in the default ctor. Remove the copy ctor and dtor since they are the same as the default. I checked consumers and they all null-check .content before using the other fields, or they where invoked on frames guaranteed not to be text frames so are not affected by the indicated line. So there's no security issue here afaict.
Attachment #8589693 -
Flags: review?(roc) → review+
Assignee | ||
Comment 3•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cbff0d351f74
Flags: in-testsuite-
Comment 4•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cbff0d351f74
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox40:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Updated•9 years ago
|
Updated•9 years ago
|
Whiteboard: [CID 1285939] → [CID 1285939][post-critsmash-triage]
Updated•9 years ago
|
Whiteboard: [CID 1285939][post-critsmash-triage] → [CID 1285939][post-critsmash-triage][adv-main40+]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Updated•6 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•