nsAttrAndChildArray::AddAttrSlot() sets the new (empty) Attr slot to two nullptrs rather than zeroing the size of the structure that will go there

RESOLVED FIXED in Firefox 55

Status

()

Core
DOM
RESOLVED FIXED
a month ago
a month ago

People

(Reporter: bytesized, Assigned: bytesized)

Tracking

(Blocks: 1 bug)

unspecified
mozilla55
Points:
---

Firefox Tracking Flags

(firefox55 fixed)

Details

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Assignee)

Description

a month ago
The implementation of nsAttrAndChildArray::AddAttrSlot sets the new Attribute slot using two nullptr assignments [1]. The rest of the code properly determines the size of the structure using the sizeof operator, but this line makes the assumption that the structure will be the size of two pointers.

This should be fixed such that the memory in a region the size of the structure that will be stored there (nsAttrAndChildArray::InternalAttr) is zeroed instead of assuming that the structure will be a specific size.

The memory should be zeroed rather than an InternalAttr being constructed there in order to guarantee that nsAttrAndChildArray::AttrSlotIsTaken [2] continues to work correctly.

[1] http://searchfox.org/mozilla-central/rev/4bd7a206dea5382c97a8a0c30beef668cc449f5b/dom/base/nsAttrAndChildArray.cpp#883-884
[2] http://searchfox.org/mozilla-central/rev/4bd7a206dea5382c97a8a0c30beef668cc449f5b/dom/base/nsAttrAndChildArray.h#173-177
(Assignee)

Updated

a month ago
Component: DOM: Core & HTML → DOM
Comment hidden (mozreview-request)
(Assignee)

Updated

a month ago
Attachment #8859701 - Flags: review?(bzbarsky)
(Assignee)

Comment 2

a month ago
https://treeherder.mozilla.org/#/jobs?repo=try&revision=866de54cc546f5edbf7a941f6f748c7553bf2262
Comment on attachment 8859701 [details]
Bug 1357865 - Correctly zero the size of an InternalAttr in nsAttrAndChildArray::AddAttrSlot

https://reviewboard.mozilla.org/r/131708/#review134514

r=me
Attachment #8859701 - Flags: review?(bzbarsky) → review+

Comment 4

a month ago
Pushed by ksteuber@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b31ecedca670
Correctly zero the size of an InternalAttr in nsAttrAndChildArray::AddAttrSlot r=bz
https://hg.mozilla.org/mozilla-central/rev/b31ecedca670
Status: ASSIGNED → RESOLVED
Last Resolved: a month ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.