Open Bug 1361580 Opened 3 years ago Updated 3 years ago

coverity report: ​nsContinuingTextFrame::mPrevContinuation isn't initialized properly

Categories

(Core :: Layout: Text and Fonts, defect, P3)

53 Branch
defect

Tracking

()

People

(Reporter: mats, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: coverity, regression, Whiteboard: [CID 750303])

Filing this as security sensitive just in case...


Coverity CID 750303 Uninitialized pointer field

The pointer field will point to an arbitrary memory location, any attempt to write may cause corruption.

In nsContinuingTextFrame::​nsContinuingTextFrame(nsStyleContext *): A pointer field is not initialized in the constructor 


4354protected:
4355  explicit nsContinuingTextFrame(nsStyleContext* aContext)
4356    : nsTextFrame(aContext)
    CID 750303 (#1 of 1): Uninitialized pointer field (UNINIT_CTOR)2. uninit_member: Non-static class member mPrevContinuation is not initialized in this constructor nor in any functions that it calls.
4357  {}
4358
    1. member_decl: Class member declaration for mPrevContinuation.
4359  nsTextFrame* mPrevContinuation;
4360};
Actually, there's only one path that create nsContinuingTextFrame:
http://searchfox.org/mozilla-central/rev/abe68d5dad139e376d5521ca1d4b7892e1e7f1ba/layout/base/nsCSSFrameConstructor.cpp#9147
and we always call Init there with a non-null aPrevInFlow (aFrame):
http://searchfox.org/mozilla-central/rev/abe68d5dad139e376d5521ca1d4b7892e1e7f1ba/layout/generic/nsSplittableFrame.cpp#26

Still, it's probably worth adding a mPrevContinuation(nullptr) there.
It seems I can no longer remove the core-security flag.

Dan, can you make this bug public please?
Flags: needinfo?(dveditz)
Group: core-security
Flags: needinfo?(dveditz)
Whiteboard: [CID 750303]
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.