[webkit-changes] [88139] trunk/Source/WebCore

Sun, 05 Jun 2011 21:57:13 -0700

Title: [88139] trunk/Source/WebCore
Revision
88139
Author
[email protected]
Date
2011-06-05 21:56:45 -0700 (Sun, 05 Jun 2011)

Log Message

2011-06-04  Abhishek Arya  <[email protected]>

        Reviewed by Kent Tamura.

        Add some asserts for array boundary checks in TextRun. Fix
        an integer issue in linux text controller code.
        https://bugs.webkit.org/show_bug.cgi?id=62085

        Testing ComplexTextControllerLinux change requires a testcase
        > 32 kb which is not feasible. All other changes are tested by
        existing layouttests.

        * platform/graphics/TextRun.h:
        (WebCore::TextRun::operator[]): add assert.
        (WebCore::TextRun::data): add assert.
        * platform/graphics/WidthIterator.cpp:
        (WebCore::WidthIterator::advance): bail early and prevent access
        to one byte across the text run boundary.
        * platform/graphics/chromium/ComplexTextControllerLinux.cpp:
        (WebCore::ComplexTextController::getNormalizedTextRun): wrong
        int16 vs int comparison.
        * rendering/svg/SVGTextRunRenderingContext.cpp:
        (WebCore::SVGTextRunWalker::walk): bail early when from and to
        is outside the text run boundary. this hit easily after adding
        the assert when from = to = end and read in run.data(from).

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (88138 => 88139)


--- trunk/Source/WebCore/ChangeLog	2011-06-06 04:07:10 UTC (rev 88138)
+++ trunk/Source/WebCore/ChangeLog	2011-06-06 04:56:45 UTC (rev 88139)
@@ -1,3 +1,29 @@
+2011-06-04  Abhishek Arya  <[email protected]>
+
+        Reviewed by Kent Tamura.
+
+        Add some asserts for array boundary checks in TextRun. Fix
+        an integer issue in linux text controller code.
+        https://bugs.webkit.org/show_bug.cgi?id=62085
+
+        Testing ComplexTextControllerLinux change requires a testcase
+        > 32 kb which is not feasible. All other changes are tested by
+        existing layouttests.
+
+        * platform/graphics/TextRun.h:
+        (WebCore::TextRun::operator[]): add assert.
+        (WebCore::TextRun::data): add assert.
+        * platform/graphics/WidthIterator.cpp:
+        (WebCore::WidthIterator::advance): bail early and prevent access
+        to one byte across the text run boundary.
+        * platform/graphics/chromium/ComplexTextControllerLinux.cpp:
+        (WebCore::ComplexTextController::getNormalizedTextRun): wrong
+        int16 vs int comparison.
+        * rendering/svg/SVGTextRunRenderingContext.cpp:
+        (WebCore::SVGTextRunWalker::walk): bail early when from and to
+        is outside the text run boundary. this hit easily after adding
+        the assert when from = to = end and read in run.data(from). 
+
 2011-06-05  Kent Tamura  <[email protected]>
 
         Reviewed by Dimitri Glazkov.

Modified: trunk/Source/WebCore/platform/graphics/TextRun.h (88138 => 88139)


--- trunk/Source/WebCore/platform/graphics/TextRun.h	2011-06-06 04:07:10 UTC (rev 88138)
+++ trunk/Source/WebCore/platform/graphics/TextRun.h	2011-06-06 04:56:45 UTC (rev 88139)
@@ -78,8 +78,8 @@
     {
     }
 
-    UChar operator[](int i) const { return m_characters[i]; }
-    const UChar* data(int i) const { return &m_characters[i]; }
+    UChar operator[](int i) const { ASSERT(i >= 0 && i < m_len); return m_characters[i]; }
+    const UChar* data(int i) const { ASSERT(i >= 0 && i < m_len); return &m_characters[i]; }
 
     const UChar* characters() const { return m_characters; }
     int length() const { return m_len; }

Modified: trunk/Source/WebCore/platform/graphics/WidthIterator.cpp (88138 => 88139)


--- trunk/Source/WebCore/platform/graphics/WidthIterator.cpp	2011-06-06 04:07:10 UTC (rev 88138)
+++ trunk/Source/WebCore/platform/graphics/WidthIterator.cpp	2011-06-06 04:56:45 UTC (rev 88139)
@@ -80,6 +80,9 @@
         offset = m_end;
 
     int currentCharacter = m_currentCharacter;
+    if (currentCharacter >= offset)
+        return;
+
     const UChar* cp = m_run.data(currentCharacter);
 
     bool rtl = m_run.rtl();

Modified: trunk/Source/WebCore/platform/graphics/chromium/ComplexTextControllerLinux.cpp (88138 => 88139)


--- trunk/Source/WebCore/platform/graphics/chromium/ComplexTextControllerLinux.cpp	2011-06-06 04:07:10 UTC (rev 88138)
+++ trunk/Source/WebCore/platform/graphics/chromium/ComplexTextControllerLinux.cpp	2011-06-06 04:56:45 UTC (rev 88139)
@@ -367,7 +367,7 @@
     icu::UnicodeString normalizedString;
     UErrorCode error = U_ZERO_ERROR;
 
-    for (int16_t i = 0; i < originalRun.length(); ++i) {
+    for (int i = 0; i < originalRun.length(); ++i) {
         UChar ch = originalRun[i];
         if (::ublock_getCode(ch) == UBLOCK_COMBINING_DIACRITICAL_MARKS) {
             icu::Normalizer::normalize(icu::UnicodeString(originalRun.characters(),

Modified: trunk/Source/WebCore/rendering/svg/SVGTextRunRenderingContext.cpp (88138 => 88139)


--- trunk/Source/WebCore/rendering/svg/SVGTextRunRenderingContext.cpp	2011-06-06 04:07:10 UTC (rev 88138)
+++ trunk/Source/WebCore/rendering/svg/SVGTextRunRenderingContext.cpp	2011-06-06 04:56:45 UTC (rev 88139)
@@ -114,7 +114,8 @@
 
     void walk(const TextRun& run, bool isVerticalText, const String& language, int from, int to)
     {
-        ASSERT(0 <= from && from <= to && to - from <= run.length());
+        if (from < 0 || to < 0 || from > to || from >= run.length() || to > run.length())
+            return;         
 
         const String text = Font::normalizeSpaces(run.data(from), to - from);
         Vector<SVGGlyph::ArabicForm> chars(charactersWithArabicForm(text, run.rtl()));

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to