Bug 726582 - Prevent nsSMILCSSProperty::ValueFromString from reading uninitialized out-param aPreventCachingOfSandwich. r=dholbert.
authorJonathan Watt <jwatt@jwatt.org>
Mon, 13 Feb 2012 18:24:51 +0000
changeset 86734 a7f0285cde9a63c1d5e323f38ee93ad78cc037fc
parent 86733 ffcf24db0f74b196dea03005e96a41591e578253
child 86735 f29587aa8965b19c0c6784c9d9eb41434fa50640
push idunknown
push userunknown
push dateunknown
reviewersdholbert
bugs726582
milestone13.0a1
Bug 726582 - Prevent nsSMILCSSProperty::ValueFromString from reading uninitialized out-param aPreventCachingOfSandwich. r=dholbert.
content/smil/nsSMILAnimationFunction.cpp
content/smil/nsSMILCSSProperty.cpp
content/smil/nsSMILParserUtils.cpp
--- a/content/smil/nsSMILAnimationFunction.cpp
+++ b/content/smil/nsSMILAnimationFunction.cpp
@@ -750,17 +750,17 @@ nsSMILAnimationFunction::GetAttr(nsIAtom
 bool
 nsSMILAnimationFunction::ParseAttr(nsIAtom* aAttName,
                                    const nsISMILAttr& aSMILAttr,
                                    nsSMILValue& aResult,
                                    bool& aPreventCachingOfSandwich) const
 {
   nsAutoString attValue;
   if (GetAttr(aAttName, attValue)) {
-    bool preventCachingOfSandwich;
+    bool preventCachingOfSandwich = false;
     nsresult rv = aSMILAttr.ValueFromString(attValue, mAnimationElement,
                                             aResult, preventCachingOfSandwich);
     if (NS_FAILED(rv))
       return false;
 
     if (preventCachingOfSandwich) {
       aPreventCachingOfSandwich = true;
     }
@@ -791,17 +791,17 @@ nsSMILAnimationFunction::GetValues(const
 
   mValueNeedsReparsingEverySample = false;
   nsSMILValueArray result;
 
   // If "values" is set, use it
   if (HasAttr(nsGkAtoms::values)) {
     nsAutoString attValue;
     GetAttr(nsGkAtoms::values, attValue);
-    bool preventCachingOfSandwich;
+    bool preventCachingOfSandwich = false;
     nsresult rv = nsSMILParserUtils::ParseValues(attValue, mAnimationElement,
                                                  aSMILAttr, result,
                                                  preventCachingOfSandwich);
     if (NS_FAILED(rv))
       return rv;
 
     if (preventCachingOfSandwich) {
       mValueNeedsReparsingEverySample = true;
--- a/content/smil/nsSMILCSSProperty.cpp
+++ b/content/smil/nsSMILCSSProperty.cpp
@@ -164,24 +164,27 @@ nsSMILCSSProperty::ValueFromString(const
                                    nsSMILValue& aValue,
                                    bool& aPreventCachingOfSandwich) const
 {
   NS_ENSURE_TRUE(IsPropertyAnimatable(mPropID), NS_ERROR_FAILURE);
 
   nsSMILCSSValueType::ValueFromString(mPropID, mElement, aStr, aValue,
       &aPreventCachingOfSandwich);
 
+  if (aValue.IsNull()) {
+    return NS_ERROR_FAILURE;
+  }
+
   // XXX Due to bug 536660 (or at least that seems to be the most likely
   // culprit), when we have animation setting display:none on a <use> element,
   // if we DON'T set the property every sample, chaos ensues.
   if (!aPreventCachingOfSandwich && mPropID == eCSSProperty_display) {
     aPreventCachingOfSandwich = true;
   }
-
-  return aValue.IsNull() ? NS_ERROR_FAILURE : NS_OK;
+  return NS_OK;
 }
 
 nsresult
 nsSMILCSSProperty::SetAnimValue(const nsSMILValue& aValue)
 {
   NS_ENSURE_TRUE(IsPropertyAnimatable(mPropID), NS_ERROR_FAILURE);
 
   // Convert nsSMILValue to string
--- a/content/smil/nsSMILParserUtils.cpp
+++ b/content/smil/nsSMILParserUtils.cpp
@@ -559,17 +559,17 @@ public:
     mSrcElement(aSrcElement),
     mSMILAttr(aSMILAttr),
     mValuesArray(aValuesArray),
     mPreventCachingOfSandwich(aPreventCachingOfSandwich)
   {}
 
   virtual nsresult Parse(const nsAString& aValueStr) {
     nsSMILValue newValue;
-    bool tmpPreventCachingOfSandwich;
+    bool tmpPreventCachingOfSandwich = false;
     nsresult rv = mSMILAttr->ValueFromString(aValueStr, mSrcElement, newValue,
                                              tmpPreventCachingOfSandwich);
     if (NS_FAILED(rv))
       return rv;
 
     if (!mValuesArray->AppendElement(newValue)) {
       return NS_ERROR_OUT_OF_MEMORY;
     }