Title: [94265] trunk/Source/WebCore
- Revision
- 94265
- Author
- crog...@google.com
- Date
- 2011-08-31 19:08:19 -0700 (Wed, 31 Aug 2011)
Log Message
Do more rigorous bounds checking in AudioBufferSourceNode::renderFromBuffer()
https://bugs.webkit.org/show_bug.cgi?id=67351
Reviewed by Dirk Pranke.
No new tests since this does not change _javascript_ API.
* webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::renderFromBuffer):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (94264 => 94265)
--- trunk/Source/WebCore/ChangeLog 2011-09-01 01:56:36 UTC (rev 94264)
+++ trunk/Source/WebCore/ChangeLog 2011-09-01 02:08:19 UTC (rev 94265)
@@ -1,3 +1,15 @@
+2011-08-31 Chris Rogers <crog...@google.com>
+
+ Do more rigorous bounds checking in AudioBufferSourceNode::renderFromBuffer()
+ https://bugs.webkit.org/show_bug.cgi?id=67351
+
+ Reviewed by Dirk Pranke.
+
+ No new tests since this does not change _javascript_ API.
+
+ * webaudio/AudioBufferSourceNode.cpp:
+ (WebCore::AudioBufferSourceNode::renderFromBuffer):
+
2011-08-31 Keishi Hattori <kei...@webkit.org>
Remove closeColorChooser call from FrameLoader::transitionToCommitted
Modified: trunk/Source/WebCore/webaudio/AudioBufferSourceNode.cpp (94264 => 94265)
--- trunk/Source/WebCore/webaudio/AudioBufferSourceNode.cpp 2011-09-01 01:56:36 UTC (rev 94264)
+++ trunk/Source/WebCore/webaudio/AudioBufferSourceNode.cpp 2011-09-01 02:08:19 UTC (rev 94265)
@@ -186,6 +186,12 @@
// Sanity check destinationFrameOffset, numberOfFrames.
size_t destinationLength = bus->length();
+
+ bool isLengthGood = destinationLength <= 4096 && numberOfFrames <= 4096;
+ ASSERT(isLengthGood);
+ if (!isLengthGood)
+ return;
+
bool isOffsetGood = destinationFrameOffset <= destinationLength && destinationFrameOffset + numberOfFrames <= destinationLength;
ASSERT(isOffsetGood);
if (!isOffsetGood)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
