Title: [281008] trunk/Source/WebCore
- Revision
- 281008
- Author
- [email protected]
- Date
- 2021-08-12 22:45:45 -0700 (Thu, 12 Aug 2021)
Log Message
Fix bounds checks for WhitespaceCache string lengths
https://bugs.webkit.org/show_bug.cgi?id=229066
<rdar://81850871>
Reviewed by Simon Fraser.
When the whitespace string length is maximumWhitespaceStringLength,
we read from and write to one element past the end of m_codes and
m_indexes. Since we don't need to store codes and indexes for zero
length strings, subtract one from the index we use.
* html/parser/HTMLConstructionSite.cpp:
(WebCore::WhitespaceCache::lookup):
* html/parser/HTMLConstructionSite.h:
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (281007 => 281008)
--- trunk/Source/WebCore/ChangeLog 2021-08-13 03:58:52 UTC (rev 281007)
+++ trunk/Source/WebCore/ChangeLog 2021-08-13 05:45:45 UTC (rev 281008)
@@ -1,3 +1,20 @@
+2021-08-12 Cameron McCormack <[email protected]>
+
+ Fix bounds checks for WhitespaceCache string lengths
+ https://bugs.webkit.org/show_bug.cgi?id=229066
+ <rdar://81850871>
+
+ Reviewed by Simon Fraser.
+
+ When the whitespace string length is maximumWhitespaceStringLength,
+ we read from and write to one element past the end of m_codes and
+ m_indexes. Since we don't need to store codes and indexes for zero
+ length strings, subtract one from the index we use.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::WhitespaceCache::lookup):
+ * html/parser/HTMLConstructionSite.h:
+
2021-08-12 David Kilzer <[email protected]>
ThreadSanitizer: data race in WebCore::CARingBufferStorageVector::setCurrentFrameBounds() / getCurrentFrameBounds()
Modified: trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp (281007 => 281008)
--- trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2021-08-13 03:58:52 UTC (rev 281007)
+++ trunk/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2021-08-13 05:45:45 UTC (rev 281008)
@@ -891,24 +891,25 @@
if (!code)
return AtomString();
- if (m_codes[length] == code) {
- ASSERT(m_atoms[m_indexes[length]] == string);
- return m_atoms[m_indexes[length]];
+ size_t lengthIndex = length - 1;
+ if (m_codes[lengthIndex] == code) {
+ ASSERT(m_atoms[m_indexes[lengthIndex]] == string);
+ return m_atoms[m_indexes[lengthIndex]];
}
if (code == overflowWhitespaceCode)
return AtomString(string);
- if (m_codes[length]) {
+ if (m_codes[lengthIndex]) {
AtomString whitespaceAtom(string);
- m_codes[length] = code;
- m_atoms[m_indexes[length]] = whitespaceAtom;
+ m_codes[lengthIndex] = code;
+ m_atoms[m_indexes[lengthIndex]] = whitespaceAtom;
return whitespaceAtom;
}
AtomString whitespaceAtom(string);
- m_codes[length] = code;
- m_indexes[length] = m_atoms.size();
+ m_codes[lengthIndex] = code;
+ m_indexes[lengthIndex] = m_atoms.size();
m_atoms.append(whitespaceAtom);
return whitespaceAtom;
}
Modified: trunk/Source/WebCore/html/parser/HTMLConstructionSite.h (281007 => 281008)
--- trunk/Source/WebCore/html/parser/HTMLConstructionSite.h 2021-08-13 03:58:52 UTC (rev 281007)
+++ trunk/Source/WebCore/html/parser/HTMLConstructionSite.h 2021-08-13 05:45:45 UTC (rev 281008)
@@ -238,7 +238,9 @@
constexpr static size_t maximumCachedStringLength = 128;
// Parallel arrays storing a 64 bit code and an index into m_atoms for the
- // most recently atomized whitespace-only string of a given length.
+ // most recently atomized whitespace-only string of a given length. The
+ // indices into these two arrays are the string length minus 1, so the code
+ // for a whitespace-only string of length 2 is stored at m_codes[1], etc.
uint64_t m_codes[maximumCachedStringLength] { 0 };
uint8_t m_indexes[maximumCachedStringLength] { 0 };
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
