Closed
Bug 620973
Opened 14 years ago
Closed 4 years ago
ReflowInput::InitConstraints uses fType unintialized if !cbrs->parentReflowState && eCompatibility_NavQuirks
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
DUPLICATE
of bug 458473
People
(Reporter: timeless, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, Whiteboard: [CID 749724])
Attachments
(1 file)
|
821 bytes,
patch
|
dbaron
:
review-
|
Details | Diff | Splinter Review |
1646 nsHTMLReflowState::InitConstraints(nsPresContext* aPresContext,
1647 nscoord aContainingBlockWidth,
1648 nscoord aContainingBlockHeight,
1649 const nsMargin* aBorder,
1650 const nsMargin* aPadding)
1651 {
1658 if (nsnull == parentReflowState) {
1679 } else {
1681 const nsHTMLReflowState* cbrs = mCBReflowState;
true:
1686 if (aContainingBlockWidth == -1) {
1687 ComputeContainingBlockRectangle(aPresContext, cbrs, aContainingBlockWidth,
1688 aContainingBlockHeight);
1689 }
not initialized:
1693 nsIAtom* fType;
true:
1694 if (NS_AUTOHEIGHT == aContainingBlockHeight) {
false, skip:
1698 if (cbrs->parentReflowState) {
1704 }
1705 }
true:
1716 if (height.HasPercent()) {
true:
1717 if (NS_AUTOHEIGHT == aContainingBlockHeight) {
true:
1721 if (NS_FRAME_REPLACED(NS_CSS_FRAME_TYPE_INLINE) == mFrameType ||
1722 NS_FRAME_REPLACED_CONTAINS_BLOCK(
1723 NS_CSS_FRAME_TYPE_INLINE) == mFrameType) {
true:
1727 if (eCompatibility_NavQuirks == aPresContext->CompatibilityMode()) {
using fType uninitialized:
1728 if (!IS_TABLE_CELL(fType)) {
Assignee: nobody → timeless
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #499412 -
Flags: review?(dbaron)
Attachment #499412 -
Flags: approval2.0?
Comment on attachment 499412 [details] [diff] [review] proposal If we need fType, having it incorrect doesn't do much good. Is it actually possible to reflow a table cell without a parent reflow state?
Attachment #499412 -
Flags: review?(dbaron)
Attachment #499412 -
Flags: review-
Attachment #499412 -
Flags: approval2.0?
Assignee: timeless → nobody
Component: Layout → Layout: HTML Frames
QA Contact: layout → layout.html-frames
the code expects at multiple places that the cell is wrapped in row frame
Component: Layout: HTML Frames → Layout
QA Contact: layout.html-frames → layout
|
||
Comment 4•14 years ago
|
||
> Is it actually possible to reflow a table cell without a parent reflow state?
No.
|
||
Comment 5•14 years ago
|
||
IS_TABLE_CELL() just does pointer comparisons. This is a bug, but doesn't seem exploitable in any way.
Group: core-security
|
||
Comment 6•10 years ago
|
||
Should be just add:
fType = cbrs->frame->GetType();
before calling IS_TABLE_CELL?Whiteboard: [CID 749724]
|
||
Updated•6 years ago
|
Blocks: coverity-analysis
|
|
||
Comment 8•6 years ago
|
||
No assignee, updating the status.
nsHTMLReflowState file does not seem to be here anymore, should this bug be closed?
It's been renamed.
Summary: nsHTMLReflowState::InitConstraints uses fType unintialized if !cbrs->parentReflowState && eCompatibility_NavQuirks → ReflowInput::InitConstraints uses fType unintialized if !cbrs->parentReflowState && eCompatibility_NavQuirks
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•