Modified: trunk/Source/WebCore/ChangeLog (116462 => 116463)
--- trunk/Source/WebCore/ChangeLog 2012-05-08 23:01:10 UTC (rev 116462)
+++ trunk/Source/WebCore/ChangeLog 2012-05-08 23:01:37 UTC (rev 116463)
@@ -1,3 +1,28 @@
+2012-05-08 Dana Jansens <[email protected]>
+
+ Region reads past end of spans
+ https://bugs.webkit.org/show_bug.cgi?id=85909
+
+ Reviewed by Anders Carlsson.
+
+ Region currently checks aSpan == aSpanEnd as the indicator that
+ we passed all the spans. When aSpan < aSpanEnd, it uses aSpan+1
+ to find the height of the span.
+
+ If aSpan == aSpanEnd - 1, then aSpan+1 == aSpanEnd. This does not
+ represent a valid span, since aSpanEnd is past the end of the
+ array, not the last element in the array. The loop should terminate
+ in this case.
+
+ Checking aSegment != aSegmentEnd is acceptable in the inner loop since
+ it increments by two each time (segments come in pairs, while spans
+ come in singles).
+
+ Test: RegionTest.ReadPastFullSpanVectorInIntersectsTest
+
+ * platform/graphics/Region.cpp:
+ (WebCore::Region::Shape::compareShapes):
+
2012-05-08 Philip Rogers <[email protected]>
Prevent crash in animated lists
Modified: trunk/Source/WebCore/platform/graphics/Region.cpp (116462 => 116463)
--- trunk/Source/WebCore/platform/graphics/Region.cpp 2012-05-08 23:01:10 UTC (rev 116462)
+++ trunk/Source/WebCore/platform/graphics/Region.cpp 2012-05-08 23:01:37 UTC (rev 116463)
@@ -135,7 +135,7 @@
bool aHadSegmentInPreviousSpan = false;
bool bHadSegmentInPreviousSpan = false;
- while (aSpan != aSpanEnd && bSpan != bSpanEnd) {
+ while (aSpan != aSpanEnd && aSpan + 1 != aSpanEnd && bSpan != bSpanEnd && bSpan + 1 != bSpanEnd) {
int aY = aSpan->y;
int aMaxY = (aSpan + 1)->y;
int bY = bSpan->y;
Modified: trunk/Source/WebKit/chromium/tests/RegionTest.cpp (116462 => 116463)
--- trunk/Source/WebKit/chromium/tests/RegionTest.cpp 2012-05-08 23:01:10 UTC (rev 116462)
+++ trunk/Source/WebKit/chromium/tests/RegionTest.cpp 2012-05-08 23:01:37 UTC (rev 116463)
@@ -205,6 +205,29 @@
TEST_NO_INTERSECT(r, IntRect(0, 3, 13, 7));
}
+TEST(RegionTest, ReadPastFullSpanVectorInIntersectsTest)
+{
+ Region r;
+
+ // This region has enough spans to fill its allocated Vector exactly.
+ r.unite(IntRect(400, 300, 1, 800));
+ r.unite(IntRect(785, 585, 1, 1));
+ r.unite(IntRect(787, 585, 1, 1));
+ r.unite(IntRect(0, 587, 16, 162));
+ r.unite(IntRect(26, 590, 300, 150));
+ r.unite(IntRect(196, 750, 1, 1));
+ r.unite(IntRect(0, 766, 1, 1));
+ r.unite(IntRect(0, 782, 1, 1));
+ r.unite(IntRect(745, 798, 1, 1));
+ r.unite(IntRect(795, 882, 10, 585));
+ r.unite(IntRect(100, 1499, 586, 1));
+ r.unite(IntRect(100, 1500, 585, 784));
+ // This query rect goes past the bottom of the Region, causing the
+ // test to reach the last span and try go past it. It should not read
+ // memory off the end of the span Vector.
+ TEST_NO_INTERSECT(r, IntRect(0, 2184, 1, 150));
+}
+
#define TEST_NO_CONTAINS(a, b) \
{ \
Region ar = a; \
