Bug 673808 - _CACHE_MAP_ is storing nsDiskCacheRecord structs with uninitialized data containing bits of Fx memory
authorMichal Novotny <michal.novotny@gmail.com>
Tue, 26 Jul 2011 13:09:42 +0200
changeset 73497 dd7d71277a15b7f485c42499a1699d0ca41a5e78
parent 73496 6fd3e4c0082dd2e8eff2efa5a935ba3d1ccd9b99
child 73498 3a78019c34e596348c52472a00bd17c68236c34f
child 76083 fbeb8b5a8a98eb50b462931668822a3ebd605880
push idunknown
push userunknown
push dateunknown
bugs673808
milestone8.0a1
Bug 673808 - _CACHE_MAP_ is storing nsDiskCacheRecord structs with uninitialized data containing bits of Fx memory
netwerk/cache/nsDiskCacheMap.cpp
--- a/netwerk/cache/nsDiskCacheMap.cpp
+++ b/netwerk/cache/nsDiskCacheMap.cpp
@@ -306,30 +306,31 @@ nsDiskCacheMap::GrowRecords()
     PRInt32 newCount = mHeader.mRecordCount << 1;
     if (newCount > mMaxRecordCount)
         newCount = mMaxRecordCount;
     nsDiskCacheRecord *newArray = (nsDiskCacheRecord *)
             PR_REALLOC(mRecordArray, newCount * sizeof(nsDiskCacheRecord));
     if (!newArray)
         return NS_ERROR_OUT_OF_MEMORY;
 
+    // clear the new uninitialized memory
+    memset(newArray + mHeader.mRecordCount, 0,
+           (newCount - mHeader.mRecordCount) * sizeof(nsDiskCacheRecord));
+
     // Space out the buckets
     PRUint32 oldRecordsPerBucket = GetRecordsPerBucket();
     PRUint32 newRecordsPerBucket = newCount / kBuckets;
     // Work from back to space out each bucket to the new array
     for (int bucketIndex = kBuckets - 1; bucketIndex >= 0; --bucketIndex) {
         // Move bucket
         nsDiskCacheRecord *newRecords = newArray + bucketIndex * newRecordsPerBucket;
         const PRUint32 count = mHeader.mBucketUsage[bucketIndex];
         memmove(newRecords,
                 newArray + bucketIndex * oldRecordsPerBucket,
                 count * sizeof(nsDiskCacheRecord));
-        // Clear the new empty entries
-        for (PRUint32 i = count; i < newRecordsPerBucket; ++i)
-            newRecords[i].SetHashNumber(0);
     }
 
     // Set as the new record array
     mRecordArray = newArray;
     mHeader.mRecordCount = newCount;
     return NS_OK;
 }