Open
Bug 1157135
Opened 10 years ago
Updated 3 years ago
Uninitialised value use in TabParent::AddInitialDnDDataTo
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Core
DOM: UI Events & Focus Handling
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | affected |
People
(Reporter: jseward, Unassigned)
Details
Attachments
(1 file)
|
5.47 KB,
text/plain
|
Details |
For editor/libeditor/tests/test_bug417418.html, Valgrind reports that
item.mType is uninitialised in
TabParent::AddInitialDnDDataTo(DataTransfer* aDataTransfer).
dom/ipc/TabParent.cpp
3207 // Special case kFilePromiseMime so that we get the right
// nsIFlavorDataProvider for it.
if (item.mFlavor.EqualsLiteral(kFilePromiseMime)) {
nsRefPtr<nsISupports> flavorDataProvider =
new nsContentAreaDragDropDataProvider();
variant->SetAsISupports(flavorDataProvider);
3213 } else if (item.mType == DataTransferItem::DataType::eString) { <---HERE
variant->SetAsAString(item.mStringData);
} else if (item.mType == DataTransferItem::DataType::eBlob) {
variant->SetAsISupports(item.mBlobData);
}
From some poking around, I think that |item| was allocated just above
in TabParent::RecvInvokeDragSession, here:
3150 DataTransferItem* localItem = itemArray->AppendElement();
It seems to me that the if-else if that immediately follows, can fail
to write any value to localItem->mType. And mType is just an enum so
there is no automatic initialisation of it via a constructor, inside
AppendElement. So if neither the if .. nor the else if .. are taken,
then localItem->mType is uninitialised.
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
Possibly related to bug 936092.
|
Assignee | |
Updated•6 years ago
|
Component: Event Handling → User events and focus handling
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•