243941 - [W] UMR: Uninitialized memory read in nsContentUtils::TrimCharsInSet(char const*,nsAString const&) {1 occurrence}

Status: NEW

(Core :: DOM: Core & HTML, defect, P5)

Description

[timeless]

[W] UMR: Uninitialized memory read in nsContentUtils::TrimCharsInSet(char 
const*,nsAString const&) {1 occurrence}
        Reading 1 byte from 0x116aeaaf (1 byte at 0x116aeaaf uninitialized)
        Address 0x116aeaaf is 1895 bytes into a 4871 byte block at 0x116ae348
        Address 0x116aeaaf points to a HeapAlloc'd block in heap 0x00d80000
        Thread ID: 0xa08
        Error location
        nsContentUtils::TrimCharsInSet(char const*,nsAString const&)+0xff 
[r:\mozilla\content\base\src\nscontentutils.cpp:1230 ip=0x043bd433]
          aValue.BeginReading(valueCurrent);
          aValue.EndReading(valueEnd);
        
          // Skip charaters in the beginning
          while (valueCurrent != valueEnd) {
            if (!IsCharInSet(aSet, *valueCurrent)) {
              break;
            }
            ++valueCurrent;
          }
        
          if (valueCurrent != valueEnd) {
            for (;;) {
              --valueEnd;
     =>       if (!IsCharInSet(aSet, *valueEnd)) {
                break;
              }
            }
                ++valueEnd; // Step beyond the last character we want in the 
value.
              }
            
              // valueEnd should point to the char after the last to copy
              return Substring(valueCurrent, valueEnd);
            }
            
            /**
             * This method strips leading and trailing whitespace from a string.
             */
            
        HTMLContentSink::AddAttributes(nsIParserNode const&,nsIHTMLContent 
*,int,int)+0x29e 
[r:\mozilla\content\html\document\src\nshtmlcontentsink.cpp:833 ip=0x04473288]
                // Get lower-cased key
                const nsAString& key = aNode.GetKeyAt(i);
                k.Assign(key);
                ToLowerCase(k);
            
                nsCOMPtr<nsIAtom> keyAtom = do_GetAtom(k);
            
                if (aCheckIfPresent && aContent->HasAttr(kNameSpaceID_None, 
keyAtom)) {
                  continue;
                }
            
                // Get value and remove mandatory quotes
                static const char* kWhitespace = "\n\r\t\b";
                const nsAString& v =
         =>       nsContentUtils::TrimCharsInSet(kWhitespace, aNode.GetValueAt
(i));
            
                if (nodeType == eHTMLTag_a && keyAtom == nsHTMLAtoms::name) {
                  NS_ConvertUCS2toUTF8 cname(v);
                  NS_ConvertUTF8toUCS2 uv(nsUnescape(cname.BeginWriting()));
            
                  // Add attribute to content
                  aContent->SetAttr(kNameSpaceID_None, keyAtom, uv, aNotify);
                } else {
                  // Add attribute to content
                  aContent->SetAttr(kNameSpaceID_None, keyAtom, v, aNotify);
                }
              }
            
              return NS_OK;
    Allocation location
        HeapAlloc+0xc        [C:\WINDOWS\System32\KERNEL32.dll ip=0x67e633c8]
        heap_alloc+0x4a      [f:\vs70builds\9466\vc\crtbld\crt\src\malloc.c:211 
ip=0x7c0010d3]
        nh_malloc+0x10       [C:\WINDOWS\System32\MSVCR70.dll:106 ip=0x7c00107b]
        PL_ArenaAllocate+0x202 [r:\mozilla\nsprpub\lib\ds\plarena.c:241 
ip=0x018315a2]
        nsFixedSizeAllocator::AddBucket(UINT)+0x79 
[r:\mozilla\xpcom\ds\nsfixedsizeallocator.cpp:52 ip=0x01710f3b]
        nsFixedSizeAllocator::Init(char const*,UINT const*,int,int,int)+0x108 
[r:\mozilla\xpcom\ds\nsfixedsizeallocator.cpp:85 ip=0x017110d0]
        nsTokenAllocator::nsTokenAllocator(void)+0x3a 
[r:\mozilla\parser\htmlparser\src\nsdtdutils.cpp:1266 ip=0x05191fd0]
        nsParserConstructor+0x2d 
[r:\mozilla\parser\htmlparser\src\nsparsermodule.cpp:71 ip=0x051a390a]
        nsGenericFactory::CreateInstance(nsISupports *,nsID const&,void * *)
+0x46 [r:\mozilla\xpcom\glue\nsgenericfactory.cpp:82 ip=0x017a6712]
        nsComponentManagerImpl::CreateInstance(nsID const&,nsISupports *,nsID 
const&,void * *)+0x106 [r:\mozilla\xpcom\components\nscomponentmanager.cpp:1886 
ip=0x01752703]
        nsCreateInstanceByCID::()(nsID const&,void * *)const+0xe2 
[r:\mozilla\xpcom\glue\nscomponentmanagerutils.cpp:55 ip=0x017a8d9e]
        nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&,nsID const&)
+0x45 [r:\mozilla\xpcom\glue\nscomptr.cpp:114 ip=0x017a87b0]
        nsCOMPtr<nsIParser>::=(nsCOMPtr_helper const&)+0x2a [r:\mozilla\pure-
i586-pc-msvc\dist\include\xpcom\nscomptr.h:642 ip=0x0445eb34]
        nsHTMLDocument::StartDocumentLoad(char const*,nsIChannel *,nsILoadGroup 
*,nsISupports *,nsIStreamListener * *,int,nsIContentSink *)+0x459 
[r:\mozilla\content\html\document\src\nshtmldocument.cpp:742 ip=0x04468fee]