Changeset 90901 in webkit


Ignore:
Timestamp:
Jul 13, 2011, 4:33:53 AM (14 years ago)
Author:
Nikolas Zimmermann
Message:

2011-07-13 Nikolas Zimmermann <nzimmermann@rim.com>

Regression: OOB read in svg text run
https://bugs.webkit.org/show_bug.cgi?id=63627

Reviewed by Zoltan Herczeg.

A TextRun is constructed for a portion of a string [a,b] whose original length is c (0 < a < b < c).
The TextRun charactersLength variable stores the length of the remaining text from (b..c) in order
to support ligatures in SVG Fonts. Example: <text>ffl</text>. When measuring the advance from char 0
to char 1 the whole 'ffl' text must be passed to the SVG glyph selection code, as the SVG Font may
define a single glyph for the characters 'ffl' thus leading to a single character long text
pointing to the ffl ligature, not three individual 'f' / 'f' / 'l' characters anymore.

constructTextRun(..const UChar*, int length, ..) did not correctly calculate the maximum length (b..c).
The passed in UChar buffer starts at eg. textRenderer->characters() + start(), and following condition
holds true for 'length': start() + length <= textRenderer->textLength() (which denotes the maximum length
of the textRenderer->characters() buffer). We have to keep track of the start() offset, so that we
can calculate the charactersLength for the TextRun correctly: textRenderer->textLength() - start().

There are also other cases like RenderCombinedText and/or the presence of hyphens that were incorrectly
tracked. Only InlineTextBox had to be fixed, the other callsites in eg. RenderBlockLineLayout already
computed the maximum length correctly - I assured this by valgrind runs on all SVG Font tests.

  • rendering/InlineTextBox.cpp: (WebCore::InlineTextBox::paint): (WebCore::InlineTextBox::paintSelection): (WebCore::InlineTextBox::constructTextRun): Add maximumLength parameter to constructTextRun.
  • rendering/InlineTextBox.h: Ditto.
Location:
trunk/Source/WebCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r90900 r90901  
     12011-07-13  Nikolas Zimmermann  <nzimmermann@rim.com>
     2
     3        Regression: OOB read in svg text run
     4        https://bugs.webkit.org/show_bug.cgi?id=63627
     5
     6        Reviewed by Zoltan Herczeg.
     7
     8        A TextRun is constructed for a portion of a string [a,b] whose original length is c (0 < a < b < c).
     9        The TextRun charactersLength variable stores the length of the remaining text from (b..c) in order
     10        to support ligatures in SVG Fonts. Example: <text>ffl</text>. When measuring the advance from char 0
     11        to char 1 the whole 'ffl' text must be passed to the SVG glyph selection code, as the SVG Font may
     12        define a single glyph for the characters 'ffl' thus leading to a single character long text
     13        pointing to the ffl ligature, not three individual 'f' / 'f' / 'l' characters anymore.
     14
     15        constructTextRun(..const UChar*, int length, ..) did not correctly calculate the maximum length (b..c).
     16        The passed in UChar buffer starts at eg. textRenderer->characters() + start(), and following condition
     17        holds true for 'length': start() + length <= textRenderer->textLength() (which denotes the maximum length
     18        of the textRenderer->characters() buffer). We have to keep track of the start() offset, so that we
     19        can calculate the charactersLength for the TextRun correctly: textRenderer->textLength() - start().
     20
     21        There are also other cases like RenderCombinedText and/or the presence of hyphens that were incorrectly
     22        tracked. Only InlineTextBox had to be fixed, the other callsites in eg. RenderBlockLineLayout already
     23        computed the maximum length correctly - I assured this by valgrind runs on all SVG Font tests.
     24
     25        * rendering/InlineTextBox.cpp:
     26        (WebCore::InlineTextBox::paint):
     27        (WebCore::InlineTextBox::paintSelection):
     28        (WebCore::InlineTextBox::constructTextRun): Add maximumLength parameter to constructTextRun.
     29        * rendering/InlineTextBox.h: Ditto.
     30
    1312011-07-12  Antti Koivisto  <antti@apple.com>
    232

  • trunk/Source/WebCore/rendering/InlineTextBox.cpp

    r90791 r90901  
    642642
    643643    int length = m_len;
     644    int maximumLength;
    644645    const UChar* characters;
    645     if (!combinedText)
     646    if (!combinedText) {
    646647        characters = textRenderer()->text()->characters() + m_start;
    647     else
     648        maximumLength = textRenderer()->textLength() - m_start;
     649    } else {
    648650        combinedText->charactersToRender(m_start, characters, length);
     651        maximumLength = length;
     652    }
    649653
    650654    BufferForAppendingHyphen charactersWithHyphen;
    651     TextRun textRun = constructTextRun(styleToUse, font, characters, length, hasHyphen() ? &charactersWithHyphen : 0);
     655    TextRun textRun = constructTextRun(styleToUse, font, characters, length, maximumLength, hasHyphen() ? &charactersWithHyphen : 0);
    652656    if (hasHyphen())
    653657        length = textRun.length();
     
    814818    BufferForAppendingHyphen charactersWithHyphen;
    815819    bool respectHyphen = ePos == length && hasHyphen();
    816     TextRun textRun = constructTextRun(style, font, characters, length, respectHyphen ? &charactersWithHyphen : 0);
     820    TextRun textRun = constructTextRun(style, font, characters, length, textRenderer()->textLength() - length, respectHyphen ? &charactersWithHyphen : 0);
    817821    if (respectHyphen)
    818822        ePos = textRun.length();
     
    12991303    ASSERT(textRenderer->characters());
    13001304
    1301     return constructTextRun(style, font, textRenderer->characters() + start(), len(), charactersWithHyphen);
    1302 }
    1303 
    1304 TextRun InlineTextBox::constructTextRun(RenderStyle* style, const Font& font, const UChar* characters, int length, BufferForAppendingHyphen* charactersWithHyphen) const
     1305    return constructTextRun(style, font, textRenderer->characters() + start(), len(), textRenderer->textLength() - start(), charactersWithHyphen);
     1306}
     1307
     1308TextRun InlineTextBox::constructTextRun(RenderStyle* style, const Font& font, const UChar* characters, int length, int maximumLength, BufferForAppendingHyphen* charactersWithHyphen) const
    13051309{
    13061310    ASSERT(style);
     
    13091313    ASSERT(textRenderer);
    13101314
    1311     if (charactersWithHyphen)
     1315    if (charactersWithHyphen) {
    13121316        adjustCharactersAndLengthForHyphen(*charactersWithHyphen, style, characters, length);
     1317        maximumLength = length;
     1318    }
     1319
     1320    ASSERT(maximumLength >= length);
    13131321
    13141322    TextRun run(characters, length, textRenderer->allowTabs(), textPos(), expansion(), expansionBehavior(), direction(), m_dirOverride || style->rtlOrdering() == VisualOrder);
     
    13171325
    13181326    // Propagate the maximum length of the characters buffer to the TextRun, even when we're only processing a substring.
    1319     run.setCharactersLength(textRenderer->textLength());
     1327    run.setCharactersLength(maximumLength);
     1328    ASSERT(run.charactersLength() >= run.length());
    13201329    return run;
    13211330}

  • trunk/Source/WebCore/rendering/InlineTextBox.h

    r90600 r90901  
    101101
    102102    TextRun constructTextRun(RenderStyle*, const Font&, BufferForAppendingHyphen* = 0) const;
    103     TextRun constructTextRun(RenderStyle*, const Font&, const UChar*, int length, BufferForAppendingHyphen* = 0) const;
     103    TextRun constructTextRun(RenderStyle*, const Font&, const UChar*, int length, int maximumLength, BufferForAppendingHyphen* = 0) const;
    104104
    105105public:
Note: See TracChangeset for help on using the changeset viewer.