Closed Bug 950246 Opened 6 years ago Closed 6 years ago

nsDOMWindowUtils::StopFrameTimeRecording() alloc uses sizeof(float*) instead of sizeof(float)

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
All
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla29

People

(Reporter: dveditz, Assigned: lpy)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: [CID 1136628][mentor=jdm][lang=c++][qa-])

Attachments

(1 file)

StopFrameTimeRecording allocates the wrong amount of space, using sizeof(float*) instead of sizeof(float). On 64-bit systems this gives us too big a buffer which is at least the safe direction.

   nsTArray<float> tmpFrameIntervals;
   [...]
-> *frameIntervals = (float*)nsMemory::Alloc(*frameCount * sizeof(float*));
   [...]
   for (uint32_t i = 0; i < *frameCount; i++) {
     (*frameIntervals)[i] = tmpFrameIntervals[i];
   }

Not sure why Coverity just picked that up this scan, it's apparently been like that since bug 826383
http://mxr.mozilla.org/mozilla-central/source/dom/base/nsDOMWindowUtils.cpp
Whiteboard: [CID 1136628] → [CID 1136628][mentor=jdm][lang=c++]
Attached patch bug950246.patchSplinter Review
I was wondering why this is not a good first bug?
Assignee: nobody → pylaurent1314
Attachment #8361763 - Flags: review?(josh)
Comment on attachment 8361763 [details] [diff] [review]
bug950246.patch

Redirecting the review to a DOM peer.
Attachment #8361763 - Flags: review?(josh) → review?(khuey)
I just forgot to add the the tag.
Thank you :)
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/d97fcd278cd2
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Whiteboard: [CID 1136628][mentor=jdm][lang=c++] → [CID 1136628][mentor=jdm][lang=c++][qa-]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.