[W] UMR: Uninitialized memory read in nsTextFragment::SetBidiFlag(void) {4 occurrences}

NEW
Unassigned

Status

()

P5
minor
15 years ago
9 years ago

People

(Reporter: timeless, Unassigned)

Tracking

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

15 years ago
[W] UMR: Uninitialized memory read in nsTextFragment::SetBidiFlag(void) {4 
occurrences}
    Reading 1 byte from 0x089c3669 (1 byte at 0x089c3669 uninitialized)
    Address 0x089c3669 is 9 bytes into a 42 byte block at 0x089c3660
    Address 0x089c3669 points to a HeapAlloc'd block in heap 0x00d80000
    Thread ID: 0xa08
    Error location
    nsTextFragment::SetBidiFlag(void)+0x5a 
[r:\mozilla\content\shared\src\nstextfragment.cpp:353 ip=0x045785c6]
          memcpy(aDest, m1b + aOffset, sizeof(char) * aCount);
        }
      }
    }
    
    // To save time we only do this when we really want to know, not during
    // every allocation
    void
    nsTextFragment::SetBidiFlag()
    {
      if (mState.mIs2b && !mState.mIsBidi) {
        const PRUnichar* cp = m2b;
        const PRUnichar* end = cp + mState.mLength;
        while (cp < end) {
             =>       PRUnichar ch = *cp++;
                      if (CHAR_IS_BIDI(ch) ) {
                        mState.mIsBidi = PR_TRUE;
                        break;
                      }
                    }
                  }
                }
            nsGenericDOMDataNode::SetBidiStatus(void)+0x46 
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:1253 ip=0x04408988]
            nsGenericDOMDataNode::SetText(nsAString const&,int)+0x176 
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:1143 ip=0x0440a9a3]
            nsGenericDOMDataNode::AppendData(nsAString const&)+0x250 
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:415 ip=0x044092b2]
        Allocation location
            HeapAlloc+0xc        [C:\WINDOWS\System32\KERNEL32.dll 
ip=0x67e633c8]
            heap_alloc+0x4a      [f:\vs70builds\9466
\vc\crtbld\crt\src\malloc.c:211 ip=0x7c0010d3]
            nh_malloc+0x10       [C:\WINDOWS\System32\MSVCR70.dll:106 
ip=0x7c00107b]
            nsMemoryImpl::Alloc(UINT)+0x34 
[r:\mozilla\xpcom\base\nsmemoryimpl.cpp:325 ip=0x0177243a]
            nsMemory::Alloc(UINT)+0xbb [r:\mozilla\xpcom\glue\nsmemory.cpp:87 
ip=0x017a9d82]
            ToNewUnicode(nsAString const&)+0x5b 
[r:\mozilla\xpcom\string\src\nsreadableutils.cpp:369 ip=0x0179e049]
            nsTextFragment::=(nsAString const&)+0x155 
[r:\mozilla\content\shared\src\nstextfragment.cpp:150 ip=0x04577f46]
                  if (length > 0) {
                    PRBool in_heap = PR_TRUE;
                
                    if (IsASCII(aString)) {
                      if (length == 1 && aString.First() == '\n') {
                        m1b = &sNewLineCharacter;
                
                        in_heap = PR_FALSE;
                      } else {
                        m1b = (unsigned char *)ToNewCString(aString);
                      }
                
                      mState.mIs2b = PR_FALSE;
                    } else {
             =>       m2b = ToNewUnicode(aString);
                      mState.mIs2b = PR_TRUE;
                    }
                
                    mState.mInHeap = in_heap;
                    mState.mLength = length;
                  }
                
                  return *this;
                }
                
                void
                nsTextFragment::SetTo(PRUnichar *aBuffer, PRInt32 aLength, 
PRBool aRelease)
                {
                  ReleaseText();
            nsGenericDOMDataNode::SetText(nsAString const&,int)+0x163 
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:1141 ip=0x0440a990]
            nsGenericDOMDataNode::AppendData(nsAString const&)+0x250 
[r:\mozilla\content\base\src\nsgenericdomdatanode.cpp:415 ip=0x044092b2]

hit 15 times while running international browser buster
(Reporter)

Updated

13 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Assignee: general → nobody
QA Contact: ian → general
You need to log in before you can comment on or make changes to this bug.