Title: [210213] trunk/Source/WebCore
- Revision
- 210213
- Author
- [email protected]
- Date
- 2016-12-30 08:16:31 -0800 (Fri, 30 Dec 2016)
Log Message
[EFL] fix buffer over-read in RenderThemeEfl::mediaControlsStyleSheet()
https://bugs.webkit.org/show_bug.cgi?id=166622
Patch by Olivier Blin <[email protected]> on 2016-12-30
Reviewed by Gyuyoung Kim.
This has been detected by a charactersAreAllASCII() assert failure.
Initially in WebKitForWayland (WPE), but the code was likely borrowed from EFL.
This is because ASCIILiteral() is wrongly used in mediaControlsStyleSheet().
mediaControlsBaseUserAgentStyleSheet is a char array, not a null-terminated string.
It is thus incorrect to use StringImpl::createFromLiteral() that calls
strlen() to get the string length.
The String::ConstructFromLiteral constructor can not be used, since it
skips the last character.
* rendering/RenderThemeEfl.cpp:
(WebCore::RenderThemeEfl::mediaControlsStyleSheet):
Explicitely pass the size to the String constructor.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (210212 => 210213)
--- trunk/Source/WebCore/ChangeLog 2016-12-30 14:00:07 UTC (rev 210212)
+++ trunk/Source/WebCore/ChangeLog 2016-12-30 16:16:31 UTC (rev 210213)
@@ -1,3 +1,25 @@
+2016-12-30 Olivier Blin <[email protected]>
+
+ [EFL] fix buffer over-read in RenderThemeEfl::mediaControlsStyleSheet()
+ https://bugs.webkit.org/show_bug.cgi?id=166622
+
+ Reviewed by Gyuyoung Kim.
+
+ This has been detected by a charactersAreAllASCII() assert failure.
+ Initially in WebKitForWayland (WPE), but the code was likely borrowed from EFL.
+
+ This is because ASCIILiteral() is wrongly used in mediaControlsStyleSheet().
+ mediaControlsBaseUserAgentStyleSheet is a char array, not a null-terminated string.
+ It is thus incorrect to use StringImpl::createFromLiteral() that calls
+ strlen() to get the string length.
+
+ The String::ConstructFromLiteral constructor can not be used, since it
+ skips the last character.
+
+ * rendering/RenderThemeEfl.cpp:
+ (WebCore::RenderThemeEfl::mediaControlsStyleSheet):
+ Explicitely pass the size to the String constructor.
+
2016-12-30 Commit Queue <[email protected]>
Unreviewed, rolling out r210206.
Modified: trunk/Source/WebCore/rendering/RenderThemeEfl.cpp (210212 => 210213)
--- trunk/Source/WebCore/rendering/RenderThemeEfl.cpp 2016-12-30 14:00:07 UTC (rev 210212)
+++ trunk/Source/WebCore/rendering/RenderThemeEfl.cpp 2016-12-30 16:16:31 UTC (rev 210213)
@@ -1054,7 +1054,7 @@
#if ENABLE(VIDEO)
String RenderThemeEfl::mediaControlsStyleSheet()
{
- return ASCIILiteral(mediaControlsBaseUserAgentStyleSheet);
+ return String(mediaControlsBaseUserAgentStyleSheet, sizeof(mediaControlsBaseUserAgentStyleSheet));
}
String RenderThemeEfl::mediaControlsScript()
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
