Changeset 31309 in webkit
- Timestamp:
- Mar 25, 2008 11:46:54 PM (16 years ago)
- Location:
- trunk
- Files:
-
- 5 added
- 10 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/fast/css/resources/bikes.bmp (added)
-
LayoutTests/fast/css/value-list-out-of-bounds-crash.html (added)
-
LayoutTests/platform/mac/fast/css/value-list-out-of-bounds-crash-expected.checksum (added)
-
LayoutTests/platform/mac/fast/css/value-list-out-of-bounds-crash-expected.png (added)
-
LayoutTests/platform/mac/fast/css/value-list-out-of-bounds-crash-expected.txt (added)
-
WebCore/ChangeLog (modified) (1 diff)
-
WebCore/css/CSSFontSelector.cpp (modified) (3 diffs)
-
WebCore/css/CSSMutableStyleDeclaration.cpp (modified) (1 diff)
-
WebCore/css/CSSStyleSelector.cpp (modified) (13 diffs)
-
WebCore/css/CSSValueList.cpp (modified) (1 diff)
-
WebCore/css/CSSValueList.h (modified) (1 diff)
-
WebCore/css/MediaQueryEvaluator.cpp (modified) (1 diff)
-
WebCore/svg/SVGFontFaceElement.cpp (modified) (1 diff)
-
WebCore/svg/graphics/SVGPaintServer.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r31303 r31309 1 2008-03-25 Beth Dakin <bdakin@apple.com> 2 3 Reviewed by Oliver. 4 5 Test for <rdar://problem/5811826> CSSValueList::item() does not 6 range-check index 7 8 * fast/css/resources/bikes.bmp: Added. 9 * fast/css/value-list-out-of-bounds-crash.html: Added. 10 * platform/mac/fast/css/value-list-out-of-bounds-crash-expected.checksum: Added. 11 * platform/mac/fast/css/value-list-out-of-bounds-crash-expected.png: Added. 12 * platform/mac/fast/css/value-list-out-of-bounds-crash-expected.txt: Added. 13 1 14 2008-03-25 Darin Adler <darin@apple.com> 2 15 -
trunk/WebCore/ChangeLog
r31307 r31309 1 2008-03-25 Beth Dakin <bdakin@apple.com> 2 3 Reviewed by Oliver. 4 5 Fix for <rdar://problem/5811826> CSSValueList::item() does not 6 range-check index 7 8 Check bounds before accessing the item to avoid a crash. 9 itemWithoutBoundsCheck() is still inlined and not bounds-checked to 10 avoid slowing down our internal callers of item(). 11 * css/CSSValueList.cpp: 12 (WebCore::CSSValueList::item): 13 * css/CSSValueList.h: 14 (WebCore::CSSValueList::itemWithoutBoundsCheck): 15 16 Call itemWithoutBoundsCheck() to avoid slowing down these internal 17 callers. 18 * css/CSSFontSelector.cpp: 19 (WebCore::CSSFontSelector::addFontFaceRule): 20 * css/CSSMutableStyleDeclaration.cpp: 21 (WebCore::CSSMutableStyleDeclaration::getLayeredShorthandValue): 22 * css/CSSStyleSelector.cpp: 23 (WebCore::applyCounterList): 24 (WebCore::CSSStyleSelector::applyProperty): 25 * css/MediaQueryEvaluator.cpp: 26 (WebCore::parseAspectRatio): 27 * svg/SVGFontFaceElement.cpp: 28 (WebCore::SVGFontFaceElement::rebuildFontFace): 29 * svg/graphics/SVGPaintServer.cpp: 30 (WebCore::dashArrayFromRenderingStyle): 31 1 32 2008-03-25 Antti Koivisto <antti@apple.com> 2 33 -
trunk/WebCore/css/CSSFontSelector.cpp
r31290 r31309 146 146 for (i = 0; i < srcLength; i++) { 147 147 // An item in the list either specifies a string (local font name) or a URL (remote font to download). 148 CSSFontFaceSrcValue* item = static_cast<CSSFontFaceSrcValue*>(srcList->item (i));148 CSSFontFaceSrcValue* item = static_cast<CSSFontFaceSrcValue*>(srcList->itemWithoutBoundsCheck(i)); 149 149 CSSFontFaceSource* source = 0; 150 150 … … 204 204 int familyLength = familyList->length(); 205 205 for (i = 0; i < familyLength; i++) { 206 CSSPrimitiveValue* item = static_cast<CSSPrimitiveValue*>(familyList->item (i));206 CSSPrimitiveValue* item = static_cast<CSSPrimitiveValue*>(familyList->itemWithoutBoundsCheck(i)); 207 207 String familyName; 208 208 if (item->primitiveType() == CSSPrimitiveValue::CSS_STRING) … … 261 261 unsigned numRanges = rangeList->length(); 262 262 for (unsigned i = 0; i < numRanges; i++) { 263 CSSUnicodeRangeValue* range = static_cast<CSSUnicodeRangeValue*>(rangeList->item (i));263 CSSUnicodeRangeValue* range = static_cast<CSSUnicodeRangeValue*>(rangeList->itemWithoutBoundsCheck(i)); 264 264 segmentedFontFace->overlayRange(range->from(), range->to(), fontFace); 265 265 } -
trunk/WebCore/css/CSSMutableStyleDeclaration.cpp
r31169 r31309 205 205 if (values[j]) { 206 206 if (values[j]->isValueList()) 207 value = static_cast<CSSValueList*>(values[j].get())->item (i);207 value = static_cast<CSSValueList*>(values[j].get())->itemWithoutBoundsCheck(i); 208 208 else { 209 209 value = values[j]; -
trunk/WebCore/css/CSSStyleSelector.cpp
r31238 r31309 148 148 prevChild->setNext(currChild); \ 149 149 } \ 150 map##Prop(currChild, valueList->item (i)); \150 map##Prop(currChild, valueList->itemWithoutBoundsCheck(i)); \ 151 151 prevChild = currChild; \ 152 152 currChild = currChild->next(); \ … … 2219 2219 int length = list ? list->length() : 0; 2220 2220 for (int i = 0; i < length; ++i) { 2221 Pair* pair = static_cast<CSSPrimitiveValue*>(list->item (i))->getPairValue();2221 Pair* pair = static_cast<CSSPrimitiveValue*>(list->itemWithoutBoundsCheck(i))->getPairValue(); 2222 2222 AtomicString identifier = static_cast<CSSPrimitiveValue*>(pair->first())->getStringValue(); 2223 2223 // FIXME: What about overflow? … … 2640 2640 m_style->setCursor(CURSOR_AUTO); 2641 2641 for (int i = 0; i < len; i++) { 2642 CSSValue* item = list->item (i);2642 CSSValue* item = list->itemWithoutBoundsCheck(i); 2643 2643 if (!item->isPrimitiveValue()) 2644 2644 continue; … … 3359 3359 bool didSet = false; 3360 3360 for (int i = 0; i < len; i++) { 3361 CSSValue* item = list->item (i);3361 CSSValue* item = list->itemWithoutBoundsCheck(i); 3362 3362 if (!item->isPrimitiveValue()) 3363 3363 continue; … … 3446 3446 3447 3447 for (int i = 0; i < len; i++) { 3448 CSSValue *item = list->item (i);3448 CSSValue *item = list->itemWithoutBoundsCheck(i); 3449 3449 if (!item->isPrimitiveValue()) continue; 3450 3450 CSSPrimitiveValue *val = static_cast<CSSPrimitiveValue*>(item); … … 3515 3515 for (int i = 0; i < len; i++) 3516 3516 { 3517 CSSValue *item = list->item (i);3517 CSSValue *item = list->itemWithoutBoundsCheck(i); 3518 3518 if (!item->isPrimitiveValue()) continue; 3519 3519 primitiveValue = static_cast<CSSPrimitiveValue*>(item); … … 3779 3779 bool firstBinding = true; 3780 3780 for (unsigned int i = 0; i < list->length(); i++) { 3781 CSSValue *item = list->item (i);3781 CSSValue *item = list->itemWithoutBoundsCheck(i); 3782 3782 CSSPrimitiveValue *val = static_cast<CSSPrimitiveValue*>(item); 3783 3783 if (val->primitiveType() == CSSPrimitiveValue::CSS_URI) { … … 3948 3948 int len = list->length(); 3949 3949 for (int i = 0; i < len; i++) { 3950 ShadowValue* item = static_cast<ShadowValue*>(list->item (i));3950 ShadowValue* item = static_cast<ShadowValue*>(list->itemWithoutBoundsCheck(i)); 3951 3951 int x = item->x->computeLengthInt(m_style, zoomFactor); 3952 3952 int y = item->y->computeLengthInt(m_style, zoomFactor); … … 4355 4355 unsigned size = list->length(); 4356 4356 for (unsigned i = 0; i < size; i++) { 4357 CSSTransformValue* val = static_cast<CSSTransformValue*>(list->item (i));4357 CSSTransformValue* val = static_cast<CSSTransformValue*>(list->itemWithoutBoundsCheck(i)); 4358 4358 CSSValueList* values = val->values(); 4359 4359 4360 CSSPrimitiveValue* firstValue = static_cast<CSSPrimitiveValue*>(values->item (0));4360 CSSPrimitiveValue* firstValue = static_cast<CSSPrimitiveValue*>(values->itemWithoutBoundsCheck(0)); 4361 4361 4362 4362 switch (val->type()) { … … 4372 4372 if (val->type() == CSSTransformValue::ScaleTransformOperation) { 4373 4373 if (values->length() > 1) { 4374 CSSPrimitiveValue* secondValue = static_cast<CSSPrimitiveValue*>(values->item (1));4374 CSSPrimitiveValue* secondValue = static_cast<CSSPrimitiveValue*>(values->itemWithoutBoundsCheck(1)); 4375 4375 sy = secondValue->getDoubleValue(); 4376 4376 } else … … 4395 4395 if (val->type() == CSSTransformValue::TranslateTransformOperation) { 4396 4396 if (values->length() > 1) { 4397 CSSPrimitiveValue* secondValue = static_cast<CSSPrimitiveValue*>(values->item (1));4397 CSSPrimitiveValue* secondValue = static_cast<CSSPrimitiveValue*>(values->itemWithoutBoundsCheck(1)); 4398 4398 ty = convertToLength(secondValue, m_style, &ok); 4399 4399 } else … … 4432 4432 if (val->type() == CSSTransformValue::SkewTransformOperation) { 4433 4433 if (values->length() > 1) { 4434 CSSPrimitiveValue* secondValue = static_cast<CSSPrimitiveValue*>(values->item (1));4434 CSSPrimitiveValue* secondValue = static_cast<CSSPrimitiveValue*>(values->itemWithoutBoundsCheck(1)); 4435 4435 angleY = secondValue->getDoubleValue(); 4436 4436 if (secondValue->primitiveType() == CSSPrimitiveValue::CSS_RAD) … … 4448 4448 } 4449 4449 case CSSTransformValue::MatrixTransformOperation: { 4450 CSSPrimitiveValue* secondValue = static_cast<CSSPrimitiveValue*>(values->item (1));4451 CSSPrimitiveValue* thirdValue = static_cast<CSSPrimitiveValue*>(values->item (2));4452 CSSPrimitiveValue* fourthValue = static_cast<CSSPrimitiveValue*>(values->item (3));4453 CSSPrimitiveValue* fifthValue = static_cast<CSSPrimitiveValue*>(values->item (4));4454 CSSPrimitiveValue* sixthValue = static_cast<CSSPrimitiveValue*>(values->item (5));4450 CSSPrimitiveValue* secondValue = static_cast<CSSPrimitiveValue*>(values->itemWithoutBoundsCheck(1)); 4451 CSSPrimitiveValue* thirdValue = static_cast<CSSPrimitiveValue*>(values->itemWithoutBoundsCheck(2)); 4452 CSSPrimitiveValue* fourthValue = static_cast<CSSPrimitiveValue*>(values->itemWithoutBoundsCheck(3)); 4453 CSSPrimitiveValue* fifthValue = static_cast<CSSPrimitiveValue*>(values->itemWithoutBoundsCheck(4)); 4454 CSSPrimitiveValue* sixthValue = static_cast<CSSPrimitiveValue*>(values->itemWithoutBoundsCheck(5)); 4455 4455 MatrixTransformOperation* matrix = new MatrixTransformOperation(firstValue->getDoubleValue(), 4456 4456 secondValue->getDoubleValue(), -
trunk/WebCore/css/CSSValueList.cpp
r25754 r31309 36 36 } 37 37 38 CSSValue* CSSValueList::item(unsigned index) 39 { 40 if (index >= m_values.size()) 41 return 0; 42 return m_values[index].get(); 43 } 44 38 45 unsigned short CSSValueList::cssValueType() const 39 46 { -
trunk/WebCore/css/CSSValueList.h
r25754 r31309 36 36 37 37 unsigned length() const { return m_values.size(); } 38 CSSValue* item (unsigned index) { return m_values[index].get(); } 38 CSSValue* item(unsigned); 39 CSSValue* itemWithoutBoundsCheck(unsigned index) { return m_values[index].get(); } 39 40 40 41 virtual bool isValueList() { return true; } -
trunk/WebCore/css/MediaQueryEvaluator.cpp
r30670 r31309 166 166 CSSValueList* valueList = static_cast<CSSValueList*>(value); 167 167 if (valueList->length() == 3) { 168 CSSValue* i0 = valueList->item (0);169 CSSValue* i1 = valueList->item (1);170 CSSValue* i2 = valueList->item (2);168 CSSValue* i0 = valueList->itemWithoutBoundsCheck(0); 169 CSSValue* i1 = valueList->itemWithoutBoundsCheck(1); 170 CSSValue* i2 = valueList->itemWithoutBoundsCheck(2); 171 171 if (i0->isPrimitiveValue() && static_cast<CSSPrimitiveValue*>(i0)->primitiveType() == CSSPrimitiveValue::CSS_NUMBER 172 172 && i1->isPrimitiveValue() && static_cast<CSSPrimitiveValue*>(i1)->primitiveType() == CSSPrimitiveValue::CSS_STRING -
trunk/WebCore/svg/SVGFontFaceElement.cpp
r31160 r31309 340 340 unsigned srcLength = srcList ? srcList->length() : 0; 341 341 for (unsigned i = 0; i < srcLength; i++) { 342 if (CSSFontFaceSrcValue* item = static_cast<CSSFontFaceSrcValue*>(srcList->item (i)))342 if (CSSFontFaceSrcValue* item = static_cast<CSSFontFaceSrcValue*>(srcList->itemWithoutBoundsCheck(i))) 343 343 item->setSVGFontFaceElement(this); 344 344 } -
trunk/WebCore/svg/graphics/SVGPaintServer.cpp
r30430 r31309 154 154 unsigned long len = dashes->length(); 155 155 for (unsigned long i = 0; i < len; i++) { 156 dash = static_cast<CSSPrimitiveValue*>(dashes->item (i));156 dash = static_cast<CSSPrimitiveValue*>(dashes->itemWithoutBoundsCheck(i)); 157 157 if (!dash) 158 158 continue;
Note: See TracChangeset
for help on using the changeset viewer.
