Title: [107999] trunk/Source/WebCore
- Revision
- 107999
- Author
- [email protected]
- Date
- 2012-02-16 16:48:11 -0800 (Thu, 16 Feb 2012)
Log Message
Very large strings could cause the new quoted string to wrap.
https://bugs.webkit.org/show_bug.cgi?id=78387
Reviewed by Eric Seidel.
* css/CSSParser.cpp:
(WebCore::quoteCSSString):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (107998 => 107999)
--- trunk/Source/WebCore/ChangeLog 2012-02-17 00:46:50 UTC (rev 107998)
+++ trunk/Source/WebCore/ChangeLog 2012-02-17 00:48:11 UTC (rev 107999)
@@ -1,3 +1,13 @@
+2012-02-16 Cris Neckar <[email protected]>
+
+ Very large strings could cause the new quoted string to wrap.
+ https://bugs.webkit.org/show_bug.cgi?id=78387
+
+ Reviewed by Eric Seidel.
+
+ * css/CSSParser.cpp:
+ (WebCore::quoteCSSString):
+
2012-02-16 Eric Seidel <[email protected]>
Add a themeChromiumAndroid.css file for android-specific default styles
Modified: trunk/Source/WebCore/css/CSSParser.cpp (107998 => 107999)
--- trunk/Source/WebCore/css/CSSParser.cpp 2012-02-17 00:46:50 UTC (rev 107998)
+++ trunk/Source/WebCore/css/CSSParser.cpp 2012-02-17 00:48:11 UTC (rev 107999)
@@ -9232,6 +9232,11 @@
// We use single quotes for now because markup.cpp uses double quotes.
String quoteCSSString(const String& string)
{
+ // This function expands each character to at most 3 characters ('\u0010' -> '\' '1' '0') as well as adds
+ // 2 quote characters (before and after). Make sure the resulting size (3 * length + 2) will not overflow unsigned.
+ if (string.length() >= (std::numeric_limits<unsigned>::max() / 3) - 2)
+ return "";
+
// For efficiency, we first pre-calculate the length of the quoted string, then we build the actual one.
// Please see below for the actual logic.
unsigned quotedStringSize = 2; // Two quotes surrounding the entire string.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
