Title: [289597] trunk/Source/WebCore
- Revision
- 289597
- Author
- [email protected]
- Date
- 2022-02-10 17:47:41 -0800 (Thu, 10 Feb 2022)
Log Message
Check bidiLevels are valid before reordering
https://bugs.webkit.org/show_bug.cgi?id=236378
Patch by Brandon Stewart <[email protected]> on 2022-02-10
Reviewed by Alan Bujtas.
We were trusting that the bidiLevel was valid before calling the reorder.
If the bidiLevel ends up being greater than the MAX + 1 we end up in a situation where
the reordering will fail. The function returns void, so there is not a good way to check
for an error.
* layout/formattingContexts/inline/InlineLineBuilder.cpp:
(WebCore::Layout::LineBuilder::layoutInlineContent):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (289596 => 289597)
--- trunk/Source/WebCore/ChangeLog 2022-02-11 00:45:54 UTC (rev 289596)
+++ trunk/Source/WebCore/ChangeLog 2022-02-11 01:47:41 UTC (rev 289597)
@@ -1,3 +1,18 @@
+2022-02-10 Brandon Stewart <[email protected]>
+
+ Check bidiLevels are valid before reordering
+ https://bugs.webkit.org/show_bug.cgi?id=236378
+
+ Reviewed by Alan Bujtas.
+
+ We were trusting that the bidiLevel was valid before calling the reorder.
+ If the bidiLevel ends up being greater than the MAX + 1 we end up in a situation where
+ the reordering will fail. The function returns void, so there is not a good way to check
+ for an error.
+
+ * layout/formattingContexts/inline/InlineLineBuilder.cpp:
+ (WebCore::Layout::LineBuilder::layoutInlineContent):
+
2022-02-10 Said Abou-Hallawa <[email protected]>
[GPU Process] Delete GraphicsContext::clipToDrawingCommands()
Modified: trunk/Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp (289596 => 289597)
--- trunk/Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp 2022-02-11 00:45:54 UTC (rev 289596)
+++ trunk/Source/WebCore/layout/formattingContexts/inline/InlineLineBuilder.cpp 2022-02-11 01:47:41 UTC (rev 289597)
@@ -342,6 +342,14 @@
hasOpaqueRun = true;
continue;
}
+
+ // bidiLevels are required to be less than the MAX + 1, otherwise
+ // ubidi_reorderVisual will silently fail.
+ if (lineRuns[i].bidiLevel() > UBIDI_MAX_EXPLICIT_LEVEL + 1) {
+ ASSERT(lineRuns[i].bidiLevel() == UBIDI_DEFAULT_LTR);
+ continue;
+ }
+
runLevels.append(lineRuns[i].bidiLevel());
runIndexOffsetMap.append(accumulatedOffset);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
