Closed
Bug 1361580
Opened 7 years ago
Closed 4 months ago
coverity report: nsContinuingTextFrame::mPrevContinuation isn't initialized properly
Categories
(Core :: Layout: Text and Fonts, defect, P3)
Tracking
()
RESOLVED
FIXED
122 Branch
People
(Reporter: MatsPalmgren_bugz, Assigned: TYLin)
References
(Blocks 1 open bug, )
Details
(Keywords: coverity, regression, Whiteboard: [CID 750303])
Attachments
(2 files)
Filing this as security sensitive just in case... Coverity CID 750303 Uninitialized pointer field The pointer field will point to an arbitrary memory location, any attempt to write may cause corruption. In nsContinuingTextFrame::nsContinuingTextFrame(nsStyleContext *): A pointer field is not initialized in the constructor 4354protected: 4355 explicit nsContinuingTextFrame(nsStyleContext* aContext) 4356 : nsTextFrame(aContext) CID 750303 (#1 of 1): Uninitialized pointer field (UNINIT_CTOR)2. uninit_member: Non-static class member mPrevContinuation is not initialized in this constructor nor in any functions that it calls. 4357 {} 4358 1. member_decl: Class member declaration for mPrevContinuation. 4359 nsTextFrame* mPrevContinuation; 4360};
Reporter | ||
Comment 1•7 years ago
|
||
Actually, there's only one path that create nsContinuingTextFrame: http://searchfox.org/mozilla-central/rev/abe68d5dad139e376d5521ca1d4b7892e1e7f1ba/layout/base/nsCSSFrameConstructor.cpp#9147 and we always call Init there with a non-null aPrevInFlow (aFrame): http://searchfox.org/mozilla-central/rev/abe68d5dad139e376d5521ca1d4b7892e1e7f1ba/layout/generic/nsSplittableFrame.cpp#26 Still, it's probably worth adding a mPrevContinuation(nullptr) there.
Reporter | ||
Comment 2•7 years ago
|
||
It seems I can no longer remove the core-security flag. Dan, can you make this bug public please?
Flags: needinfo?(dveditz)
Updated•7 years ago
|
Group: core-security
Flags: needinfo?(dveditz)
Updated•7 years ago
|
Blocks: coverity-analysis
Whiteboard: [CID 750303]
Updated•7 years ago
|
Priority: -- → P3
Updated•2 years ago
|
Severity: normal → S3
Assignee | ||
Comment 3•4 months ago
|
||
In nsContinuingTextFrame::Init()
[1], we always call SetPrevInFlow()
to
initialize mPrevContinuation
, so we are fine. Still, it is better to
initialize the pointer properly before Init()
.
Updated•4 months ago
|
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•4 months ago
|
||
Depends on D194407
Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/55dba745f9b3 Initialize nsContinuingTextFrame::mPrevContinuation. r=dholbert https://hg.mozilla.org/integration/autoland/rev/662bda9458a8 Move the initialization of nsTextFrame members to where they are declared. r=dholbert
Comment 6•4 months ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/55dba745f9b3
https://hg.mozilla.org/mozilla-central/rev/662bda9458a8
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox122:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch
Updated•4 months ago
|
status-firefox120:
--- → wontfix
status-firefox121:
--- → wontfix
status-firefox-esr115:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•