Title: [107652] trunk/Source/WebCore
- Revision
- 107652
- Author
- [email protected]
- Date
- 2012-02-13 17:40:57 -0800 (Mon, 13 Feb 2012)
Log Message
Implement Element.webkitRegionOverflow
[CSSRegions][CSSOM] Implement Element.regionOverflow
https://bugs.webkit.org/show_bug.cgi?id=77863
Patch by Raul Hudea <[email protected]> on 2012-02-13
Reviewed by David Hyatt.
On each layout, compute the overflowState for each region belonging to the flow thread
Tests: fast/regions/element-region-overflow-state-vertical-rl.html
fast/regions/element-region-overflow-state.html
* dom/Element.cpp:
(WebCore::Element::webkitRegionOverflow):
(WebCore):
* dom/Element.h:
* dom/Element.idl:
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::computeOverflow):
* rendering/RenderFlowThread.cpp:
(WebCore::RenderFlowThread::computeOverflowStateForRegions):
(WebCore):
* rendering/RenderFlowThread.h:
* rendering/RenderRegion.cpp:
(WebCore::RenderRegion::RenderRegion):
* rendering/RenderRegion.h:
(RenderRegion):
(WebCore::RenderRegion::regionState):
(WebCore::RenderRegion::setRegionState):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (107651 => 107652)
--- trunk/Source/WebCore/ChangeLog 2012-02-14 01:37:01 UTC (rev 107651)
+++ trunk/Source/WebCore/ChangeLog 2012-02-14 01:40:57 UTC (rev 107652)
@@ -41,6 +41,25 @@
2012-02-13 Benjamin Poulain <[email protected]>
+ SharedBuffer::getSomeData() can potentially return a pointer past the data
+ https://bugs.webkit.org/show_bug.cgi?id=77799
+
+ Reviewed by David Kilzer.
+
+ The expected behavior from SharedBuffer::getSomeData() is to return a size and pointer of value 0
+ if position is past the data.
+
+ However, the code handling the memory mapped data is before the code ensuring the aforementioned
+ condition. It is possible to return a pointer past the data, and a non-null size.
+
+ This patch aims at preventing such invalid memory access by checking position is in the boundaries
+ before any attempt is made to return the data.
+
+ * platform/SharedBuffer.cpp:
+ (WebCore::SharedBuffer::getSomeData):
+
+2012-02-13 Benjamin Poulain <[email protected]>
+
SharedBuffer::getSomeData() must support m_dataArray if NETWORK_CFDATA_ARRAY_CALLBACK is defined
https://bugs.webkit.org/show_bug.cgi?id=77718
Modified: trunk/Source/WebCore/platform/SharedBuffer.cpp (107651 => 107652)
--- trunk/Source/WebCore/platform/SharedBuffer.cpp 2012-02-14 01:37:01 UTC (rev 107651)
+++ trunk/Source/WebCore/platform/SharedBuffer.cpp 2012-02-14 01:40:57 UTC (rev 107652)
@@ -233,16 +233,19 @@
unsigned SharedBuffer::getSomeData(const char*& someData, unsigned position) const
{
+ unsigned totalSize = size();
+ if (position >= totalSize) {
+ someData = 0;
+ return 0;
+ }
+
if (hasPlatformData() || m_purgeableBuffer) {
+ ASSERT(position < size());
someData = data() + position;
- return size() - position;
+ return totalSize - position;
}
- if (position >= m_size) {
- someData = 0;
- return 0;
- }
-
+ ASSERT(position < m_size);
unsigned consecutiveSize = m_buffer.size();
if (position < consecutiveSize) {
someData = m_buffer.data() + position;
@@ -254,7 +257,7 @@
unsigned maxSegmentedSize = segments * segmentSize;
unsigned segment = segmentIndex(position);
if (segment < segments) {
- unsigned bytesLeft = m_size - consecutiveSize;
+ unsigned bytesLeft = totalSize - consecutiveSize;
unsigned segmentedSize = min(maxSegmentedSize, bytesLeft);
unsigned positionInSegment = offsetInSegment(position);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
