Title: [121082] trunk/Source
- Revision
- 121082
- Author
- [email protected]
- Date
- 2012-06-22 18:16:20 -0700 (Fri, 22 Jun 2012)
Log Message
IndexedDB: Avoid infinite loop if we try to encode -1 for leveldb
https://bugs.webkit.org/show_bug.cgi?id=89625
Source/WebCore:
It gets worse, memory is allocated inside the loop so the process is
eventually killed by the OS.
Reviewed by Tony Chang.
Added tests to Source/WebKit/chromium/tests/IDBLevelDBCodingTest.cpp
* Modules/indexeddb/IDBLevelDBCoding.cpp:
(WebCore::IDBLevelDBCoding::encodeInt):
(WebCore::IDBLevelDBCoding::encodeVarInt):
Source/WebKit/chromium:
Reviewed by Tony Chang.
* tests/IDBLevelDBCodingTest.cpp:
(IDBLevelDBCoding::TEST):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (121081 => 121082)
--- trunk/Source/WebCore/ChangeLog 2012-06-23 00:56:03 UTC (rev 121081)
+++ trunk/Source/WebCore/ChangeLog 2012-06-23 01:16:20 UTC (rev 121082)
@@ -1,3 +1,19 @@
+2012-06-22 David Grogan <[email protected]>
+
+ IndexedDB: Avoid infinite loop if we try to encode -1 for leveldb
+ https://bugs.webkit.org/show_bug.cgi?id=89625
+
+ It gets worse, memory is allocated inside the loop so the process is
+ eventually killed by the OS.
+
+ Reviewed by Tony Chang.
+
+ Added tests to Source/WebKit/chromium/tests/IDBLevelDBCodingTest.cpp
+
+ * Modules/indexeddb/IDBLevelDBCoding.cpp:
+ (WebCore::IDBLevelDBCoding::encodeInt):
+ (WebCore::IDBLevelDBCoding::encodeVarInt):
+
2012-06-22 Hayato Ito <[email protected]>
[Shadow] ShadowRoot.activeElement should use the result of re-targeting algorithm.
Modified: trunk/Source/WebCore/Modules/indexeddb/IDBLevelDBBackingStore.cpp (121081 => 121082)
--- trunk/Source/WebCore/Modules/indexeddb/IDBLevelDBBackingStore.cpp 2012-06-23 00:56:03 UTC (rev 121081)
+++ trunk/Source/WebCore/Modules/indexeddb/IDBLevelDBBackingStore.cpp 2012-06-23 01:16:20 UTC (rev 121082)
@@ -77,6 +77,9 @@
template <typename DBOrTransaction>
static bool putInt(DBOrTransaction* db, const Vector<char>& key, int64_t value)
{
+ ASSERT(value >= 0);
+ if (value < 0)
+ return false;
return db->put(key, encodeInt(value));
}
Modified: trunk/Source/WebCore/Modules/indexeddb/IDBLevelDBCoding.cpp (121081 => 121082)
--- trunk/Source/WebCore/Modules/indexeddb/IDBLevelDBCoding.cpp 2012-06-23 00:56:03 UTC (rev 121081)
+++ trunk/Source/WebCore/Modules/indexeddb/IDBLevelDBCoding.cpp 2012-06-23 01:16:20 UTC (rev 121082)
@@ -194,9 +194,10 @@
return *begin;
}
-Vector<char> encodeInt(int64_t n)
+Vector<char> encodeInt(int64_t nParam)
{
- ASSERT(n >= 0);
+ ASSERT(nParam >= 0);
+ uint64_t n = static_cast<uint64_t>(nParam);
Vector<char> ret; // FIXME: Size this at creation.
do {
@@ -236,8 +237,10 @@
return 0;
}
-Vector<char> encodeVarInt(int64_t n)
+Vector<char> encodeVarInt(int64_t nParam)
{
+ ASSERT(nParam >= 0);
+ uint64_t n = static_cast<uint64_t>(nParam);
Vector<char> ret; // FIXME: Size this at creation.
do {
Modified: trunk/Source/WebKit/chromium/ChangeLog (121081 => 121082)
--- trunk/Source/WebKit/chromium/ChangeLog 2012-06-23 00:56:03 UTC (rev 121081)
+++ trunk/Source/WebKit/chromium/ChangeLog 2012-06-23 01:16:20 UTC (rev 121082)
@@ -1,3 +1,13 @@
+2012-06-22 David Grogan <[email protected]>
+
+ IndexedDB: Avoid infinite loop if we try to encode -1 for leveldb
+ https://bugs.webkit.org/show_bug.cgi?id=89625
+
+ Reviewed by Tony Chang.
+
+ * tests/IDBLevelDBCodingTest.cpp:
+ (IDBLevelDBCoding::TEST):
+
2012-06-22 Michael Nordman <[email protected]>
[chromium] WebKit API plumbing for applicationCache.abort()
Modified: trunk/Source/WebKit/chromium/tests/IDBLevelDBCodingTest.cpp (121081 => 121082)
--- trunk/Source/WebKit/chromium/tests/IDBLevelDBCodingTest.cpp 2012-06-23 00:56:03 UTC (rev 121081)
+++ trunk/Source/WebKit/chromium/tests/IDBLevelDBCodingTest.cpp 2012-06-23 01:16:20 UTC (rev 121082)
@@ -139,6 +139,9 @@
EXPECT_EQ(static_cast<size_t>(1), encodeInt(255).size());
EXPECT_EQ(static_cast<size_t>(2), encodeInt(256).size());
EXPECT_EQ(static_cast<size_t>(4), encodeInt(0xffffffff).size());
+#ifdef NDEBUG
+ EXPECT_EQ(static_cast<size_t>(8), encodeInt(-1).size());
+#endif
}
TEST(IDBLevelDBCodingTest, DecodeBool)
@@ -166,6 +169,9 @@
testCases.append(655536);
testCases.append(7711192431755665792ll);
testCases.append(0x7fffffffffffffffll);
+#ifdef NDEBUG
+ testCases.append(-3);
+#endif
for (size_t i = 0; i < testCases.size(); ++i) {
int64_t n = testCases[i];
@@ -181,6 +187,9 @@
EXPECT_EQ(static_cast<size_t>(2), encodeVarInt(255).size());
EXPECT_EQ(static_cast<size_t>(2), encodeVarInt(256).size());
EXPECT_EQ(static_cast<size_t>(5), encodeVarInt(0xffffffff).size());
+#ifdef NDEBUG
+ EXPECT_EQ(static_cast<size_t>(8), encodeInt(-100).size());
+#endif
}
TEST(IDBLevelDBCodingTest, DecodeVarInt)
@@ -194,6 +203,9 @@
testCases.append(655536);
testCases.append(7711192431755665792ll);
testCases.append(0x7fffffffffffffffll);
+#ifdef NDEBUG
+ testCases.append(-3);
+#endif
for (size_t i = 0; i < testCases.size(); ++i) {
int64_t n = testCases[i];
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
