Closed
Bug 243928
Opened 20 years ago
Closed 4 years ago
[W] UMR: Uninitialized memory read in nsTextFragment::SetBidiFlag(void) {4 occurrences}
Categories
(Core :: DOM: Core & HTML, defect, P5)
Tracking
()
RESOLVED
INVALID
People
(Reporter: timeless, Unassigned)
Details
[W] UMR: Uninitialized memory read in nsTextFragment::SetBidiFlag(void) {4
occurrences}
Reading 1 byte from 0x089c3669 (1 byte at 0x089c3669 uninitialized)
Address 0x089c3669 is 9 bytes into a 42 byte block at 0x089c3660
Address 0x089c3669 points to a HeapAlloc'd block in heap 0x00d80000
Thread ID: 0xa08
Error location
nsTextFragment::SetBidiFlag(void)+0x5a
[r:\mozilla\content\shared\src\nstextfragment.cpp:353 ip=0x045785c6]
memcpy(aDest, m1b + aOffset, sizeof(char) * aCount);
}
}
}
// To save time we only do this when we really want to know, not during
// every allocation
void
nsTextFragment::SetBidiFlag()
{
if (mState.mIs2b && !mState.mIsBidi) {
const PRUnichar* cp = m2b;
const PRUnichar* end = cp + mState.mLength;
while (cp < end) {
=> PRUnichar ch = *cp++;
if (CHAR_IS_BIDI(ch) ) {
mState.mIsBidi = PR_TRUE;
break;
}
}
}
}
nsGenericDOMDataNode::SetBidiStatus(void)+0x46
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:1253 ip=0x04408988]
nsGenericDOMDataNode::SetText(nsAString const&,int)+0x176
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:1143 ip=0x0440a9a3]
nsGenericDOMDataNode::AppendData(nsAString const&)+0x250
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:415 ip=0x044092b2]
Allocation location
HeapAlloc+0xc [C:\WINDOWS\System32\KERNEL32.dll
ip=0x67e633c8]
heap_alloc+0x4a [f:\vs70builds\9466
\vc\crtbld\crt\src\malloc.c:211 ip=0x7c0010d3]
nh_malloc+0x10 [C:\WINDOWS\System32\MSVCR70.dll:106
ip=0x7c00107b]
nsMemoryImpl::Alloc(UINT)+0x34
[r:\mozilla\xpcom\base\nsmemoryimpl.cpp:325 ip=0x0177243a]
nsMemory::Alloc(UINT)+0xbb [r:\mozilla\xpcom\glue\nsmemory.cpp:87
ip=0x017a9d82]
ToNewUnicode(nsAString const&)+0x5b
[r:\mozilla\xpcom\string\src\nsreadableutils.cpp:369 ip=0x0179e049]
nsTextFragment::=(nsAString const&)+0x155
[r:\mozilla\content\shared\src\nstextfragment.cpp:150 ip=0x04577f46]
if (length > 0) {
PRBool in_heap = PR_TRUE;
if (IsASCII(aString)) {
if (length == 1 && aString.First() == '\n') {
m1b = &sNewLineCharacter;
in_heap = PR_FALSE;
} else {
m1b = (unsigned char *)ToNewCString(aString);
}
mState.mIs2b = PR_FALSE;
} else {
=> m2b = ToNewUnicode(aString);
mState.mIs2b = PR_TRUE;
}
mState.mInHeap = in_heap;
mState.mLength = length;
}
return *this;
}
void
nsTextFragment::SetTo(PRUnichar *aBuffer, PRInt32 aLength,
PRBool aRelease)
{
ReleaseText();
nsGenericDOMDataNode::SetText(nsAString const&,int)+0x163
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:1141 ip=0x0440a990]
nsGenericDOMDataNode::AppendData(nsAString const&)+0x250
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:415 ip=0x044092b2]
hit 15 times while running international browser buster
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Updated•15 years ago
|
Assignee: general → nobody
QA Contact: ian → general
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Comment 1•4 years ago
|
||
I cannot find this code through searchfox.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•