Changeset 69716 in webkit

Timestamp:

Oct 13, 2010 5:21:40 PM (14 years ago)

Author:

cevans@google.com

Message:

2010-10-13 Chris Evans <​cevans@google.com>

Reviewed by Jian Li.

Blob / BlobBuilder can be put into bad state with wild integers and strings, due to integer overflows
​https://bugs.webkit.org/show_bug.cgi?id=47382

Add test for Blob.slice() integer overflow.

• fast/files/blob-slice-overflow.html: Added.
• fast/files/blob-slice-overflow-expected.txt: Added.

2010-10-13 Chris Evans <​cevans@google.com>

Reviewed by Jian Li.

Blob / BlobBuilder can be put into bad state with wild integers and strings, due to integer overflows
​https://bugs.webkit.org/show_bug.cgi?id=47382

Fix integer overflow errors in Blob.slice and BlobBuilder.append.

Test: fast/files/blob-slice-overflow.html

• fileapi/Blob.cpp: (WebCore::Blob::slice): handle integer overflow properly.
• fileapi/BlobBuilder.cpp: (WebCore::BlobBuilder::append): use correct type for vector length.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/files/blob-slice-overflow-expected.txt (added)
• LayoutTests/fast/files/blob-slice-overflow.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/fileapi/Blob.cpp (modified) (1 diff)
• WebCore/fileapi/BlobBuilder.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-10-13  Chris Evans  <cevans@google.com>
+
+        Reviewed by Jian Li.
+
+        Blob / BlobBuilder can be put into bad state with wild integers and strings, due to integer overflows
+        https://bugs.webkit.org/show_bug.cgi?id=47382
+
+        Add test for Blob.slice() integer overflow.
+
+        * fast/files/blob-slice-overflow.html: Added.
+        * fast/files/blob-slice-overflow-expected.txt: Added.
+
 2010-10-13  James Simonsen  <simonjam@chromium.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-10-13  Chris Evans  <cevans@google.com>
+
+        Reviewed by Jian Li.
+
+        Blob / BlobBuilder can be put into bad state with wild integers and strings, due to integer overflows
+        https://bugs.webkit.org/show_bug.cgi?id=47382
+
+        Fix integer overflow errors in Blob.slice and BlobBuilder.append.
+
+        Test: fast/files/blob-slice-overflow.html
+
+        * fileapi/Blob.cpp:
+        (WebCore::Blob::slice): handle integer overflow properly.
+        * fileapi/BlobBuilder.cpp:
+        (WebCore::BlobBuilder::append): use correct type for vector length.
+
 2010-10-13  Gavin Barraclough  <barraclough@apple.com>
 

trunk/WebCore/fileapi/Blob.cpp

@@ -87 +87 @@
         start = 0;
         length = 0;
-    } else if (start + length > size)
+    } else if (start + length > size || length > std::numeric_limits<long long>::max() - start)
         length = size - start;
 

trunk/WebCore/fileapi/BlobBuilder.cpp

@@ -64 +64 @@
     if (!utf8Text.isNull()) {
         Vector<char>& buffer = *m_items[m_items.size() - 1].data->mutableData();
-        unsigned oldSize = buffer.size();
+        size_t oldSize = buffer.size();
 
         if (isEndingTypeNative)