Closed Bug 620973 Opened 14 years ago Closed 5 years ago

ReflowInput::InitConstraints uses fType unintialized if !cbrs->parentReflowState && eCompatibility_NavQuirks

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 458473

People

(Reporter: timeless, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, Whiteboard: [CID 749724])

Attachments

(1 file)

proposal
821 bytes, patch
dbaron
: review-
Details | Diff | Splinter Review
1646 nsHTMLReflowState::InitConstraints(nsPresContext* aPresContext, 1647 nscoord aContainingBlockWidth, 1648 nscoord aContainingBlockHeight, 1649 const nsMargin* aBorder, 1650 const nsMargin* aPadding) 1651 { 1658 if (nsnull == parentReflowState) { 1679 } else { 1681 const nsHTMLReflowState* cbrs = mCBReflowState; true: 1686 if (aContainingBlockWidth == -1) { 1687 ComputeContainingBlockRectangle(aPresContext, cbrs, aContainingBlockWidth, 1688 aContainingBlockHeight); 1689 } not initialized: 1693 nsIAtom* fType; true: 1694 if (NS_AUTOHEIGHT == aContainingBlockHeight) { false, skip: 1698 if (cbrs->parentReflowState) { 1704 } 1705 } true: 1716 if (height.HasPercent()) { true: 1717 if (NS_AUTOHEIGHT == aContainingBlockHeight) { true: 1721 if (NS_FRAME_REPLACED(NS_CSS_FRAME_TYPE_INLINE) == mFrameType || 1722 NS_FRAME_REPLACED_CONTAINS_BLOCK( 1723 NS_CSS_FRAME_TYPE_INLINE) == mFrameType) { true: 1727 if (eCompatibility_NavQuirks == aPresContext->CompatibilityMode()) { using fType uninitialized: 1728 if (!IS_TABLE_CELL(fType)) {
Attached patch proposalSplinter Review
Assignee: nobody → timeless
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #499412 - Flags: review?(dbaron)
Attachment #499412 - Flags: approval2.0?
Comment on attachment 499412 [details] [diff] [review] proposal If we need fType, having it incorrect doesn't do much good. Is it actually possible to reflow a table cell without a parent reflow state?
Attachment #499412 - Flags: review?(dbaron)
Attachment #499412 - Flags: review-
Attachment #499412 - Flags: approval2.0?
Assignee: timeless → nobody
Component: Layout → Layout: HTML Frames
QA Contact: layout → layout.html-frames
the code expects at multiple places that the cell is wrapped in row frame
Component: Layout: HTML Frames → Layout
QA Contact: layout.html-frames → layout
> Is it actually possible to reflow a table cell without a parent reflow state? No.
IS_TABLE_CELL() just does pointer comparisons. This is a bug, but doesn't seem exploitable in any way.
Group: core-security
Should be just add: fType = cbrs->frame->GetType(); before calling IS_TABLE_CELL?
Whiteboard: [CID 749724]
No assignee, updating the status.
Status: ASSIGNED → NEW
No assignee, updating the status.

nsHTMLReflowState file does not seem to be here anymore, should this bug be closed?

It's been renamed.

Summary: nsHTMLReflowState::InitConstraints uses fType unintialized if !cbrs->parentReflowState && eCompatibility_NavQuirks → ReflowInput::InitConstraints uses fType unintialized if !cbrs->parentReflowState && eCompatibility_NavQuirks
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: