Title: [208861] trunk/Source/WebCore
- Revision
- 208861
- Author
- [email protected]
- Date
- 2016-11-17 15:05:37 -0800 (Thu, 17 Nov 2016)
Log Message
Improve URL length handling
https://bugs.webkit.org/show_bug.cgi?id=164884
<rdar://problem/5909143>
Reviewed by David Kilzer.
Make sure the result of re-encoding and other fix-up stays within
expected parameters.
No new tests. No change in behavior.
* platform/URL.cpp:
(WebCore::URL::parse):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (208860 => 208861)
--- trunk/Source/WebCore/ChangeLog 2016-11-17 21:37:05 UTC (rev 208860)
+++ trunk/Source/WebCore/ChangeLog 2016-11-17 23:05:37 UTC (rev 208861)
@@ -1,3 +1,19 @@
+2016-11-17 Brent Fulgham <[email protected]>
+
+ Improve URL length handling
+ https://bugs.webkit.org/show_bug.cgi?id=164884
+ <rdar://problem/5909143>
+
+ Reviewed by David Kilzer.
+
+ Make sure the result of re-encoding and other fix-up stays within
+ expected parameters.
+
+ No new tests. No change in behavior.
+
+ * platform/URL.cpp:
+ (WebCore::URL::parse):
+
2016-11-17 Zalan Bujtas <[email protected]>
Render tree should be all clean by the end of FrameView::layout().
Modified: trunk/Source/WebCore/platform/URL.cpp (208860 => 208861)
--- trunk/Source/WebCore/platform/URL.cpp 2016-11-17 21:37:05 UTC (rev 208860)
+++ trunk/Source/WebCore/platform/URL.cpp 2016-11-17 23:05:37 UTC (rev 208861)
@@ -1675,13 +1675,23 @@
}
// assemble it all, remembering the real ranges
+ Checked<unsigned, RecordOverflow> bufferLength = fragmentEnd;
+ bufferLength *= 3;
// The magic number 10 comes from the worst-case addition of characters for password start,
// user info, and colon for port number, colon after scheme, plus inserting missing slashes
// after protocol, slash for empty path, and possible end-of-query '#' character. This
// yields a max of nine additional characters, plus a null.
- Vector<char, 4096> buffer(fragmentEnd * 3 + 10);
+ bufferLength += 10;
+ if (bufferLength.hasOverflowed()) {
+ m_string = originalString ? *originalString : url;
+ invalidate();
+ return;
+ }
+
+ Vector<char, 4096> buffer(bufferLength.unsafeGet());
+
char* p = buffer.data();
const char* strPtr = url;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
