[webkit-changes] [137077] releases/WebKitGTK/webkit-1.10

Sun, 09 Dec 2012 09:08:30 -0800

Title: [137077] releases/WebKitGTK/webkit-1.10
Revision
137077
Author
[email protected]
Date
2012-12-09 09:10:17 -0800 (Sun, 09 Dec 2012)

Log Message

Merge 133610 - Heap-buffer-overflow in WebCore::TextTrackCueList::add
https://bugs.webkit.org/show_bug.cgi?id=101018

Patch by Aaron Colwell <[email protected]> on 2012-11-06
Reviewed by Eric Carlson.

Source/WebCore:

Added an extra check to avoid using a negative array index when a cue
is added to the beginning of the list.

Test case added to LayoutTests/media/track/track-add-remove-cue.html.

* html/track/TextTrackCueList.cpp:
(WebCore::TextTrackCueList::add):

LayoutTests:

Added a test case to verify that adding a cue to the beginning of a non-empty list doesn't crash.

* media/track/track-add-remove-cue-expected.txt:
* media/track/track-add-remove-cue.html:

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-1.10/LayoutTests/ChangeLog (137076 => 137077)


--- releases/WebKitGTK/webkit-1.10/LayoutTests/ChangeLog	2012-12-09 16:36:53 UTC (rev 137076)
+++ releases/WebKitGTK/webkit-1.10/LayoutTests/ChangeLog	2012-12-09 17:10:17 UTC (rev 137077)
@@ -1,3 +1,15 @@
+2012-11-06  Aaron Colwell  <[email protected]>
+
+        Heap-buffer-overflow in WebCore::TextTrackCueList::add
+        https://bugs.webkit.org/show_bug.cgi?id=101018
+
+        Reviewed by Eric Carlson.
+
+        Added a test case to verify that adding a cue to the beginning of a non-empty list doesn't crash.
+
+        * media/track/track-add-remove-cue-expected.txt:
+        * media/track/track-add-remove-cue.html:
+
 2012-11-06  Ken Buchanan  <[email protected]>
 
         Crash due to column span under button element

Modified: releases/WebKitGTK/webkit-1.10/LayoutTests/media/track/track-add-remove-cue-expected.txt (137076 => 137077)


--- releases/WebKitGTK/webkit-1.10/LayoutTests/media/track/track-add-remove-cue-expected.txt	2012-12-09 16:36:53 UTC (rev 137076)
+++ releases/WebKitGTK/webkit-1.10/LayoutTests/media/track/track-add-remove-cue-expected.txt	2012-12-09 17:10:17 UTC (rev 137077)
@@ -71,5 +71,13 @@
 
 *** Try to remove the cue again.
 TEST(testTrack.track.removeCue(textCue)) THROWS(DOMException.INVALID_STATE_ERR) OK
+
+*** Add a cue before all the existing cues.
+RUN(testTrack.track.addCue(new TextTrackCue(0, 31, 'I am first')))
+EXPECTED (cues[0].startTime == '0') OK
+EXPECTED (cues[0].endTime == '31') OK
+EXPECTED (cues[1].startTime == '0') OK
+EXPECTED (cues[1].endTime == '30.5') OK
+EXPECTED (cues[2].startTime == '31') OK
 END OF TEST

Modified: releases/WebKitGTK/webkit-1.10/LayoutTests/media/track/track-add-remove-cue.html (137076 => 137077)


--- releases/WebKitGTK/webkit-1.10/LayoutTests/media/track/track-add-remove-cue.html	2012-12-09 16:36:53 UTC (rev 137076)
+++ releases/WebKitGTK/webkit-1.10/LayoutTests/media/track/track-add-remove-cue.html	2012-12-09 17:10:17 UTC (rev 137077)
@@ -87,6 +87,13 @@
                 consoleWrite("<br>*** Try to remove the cue again.");
                 testException("testTrack.track.removeCue(textCue)", "DOMException.INVALID_STATE_ERR");
 
+                consoleWrite("<br>*** Add a cue before all the existing cues.");
+                run("testTrack.track.addCue(new TextTrackCue(0, 31, 'I am first'))");
+                testExpected("cues[0].startTime", 0);
+                testExpected("cues[0].endTime", 31);
+                testExpected("cues[1].startTime", 0);
+                testExpected("cues[1].endTime", 30.5);
+                testExpected("cues[2].startTime", 31);
                 endTest();
             }

Modified: releases/WebKitGTK/webkit-1.10/Source/WebCore/ChangeLog (137076 => 137077)


--- releases/WebKitGTK/webkit-1.10/Source/WebCore/ChangeLog	2012-12-09 16:36:53 UTC (rev 137076)
+++ releases/WebKitGTK/webkit-1.10/Source/WebCore/ChangeLog	2012-12-09 17:10:17 UTC (rev 137077)
@@ -1,3 +1,18 @@
+2012-11-06  Aaron Colwell  <[email protected]>
+
+        Heap-buffer-overflow in WebCore::TextTrackCueList::add
+        https://bugs.webkit.org/show_bug.cgi?id=101018
+
+        Reviewed by Eric Carlson.
+
+        Added an extra check to avoid using a negative array index when a cue
+        is added to the beginning of the list.
+
+        Test case added to LayoutTests/media/track/track-add-remove-cue.html.
+
+        * html/track/TextTrackCueList.cpp:
+        (WebCore::TextTrackCueList::add):
+
 2012-11-06  Ken Buchanan  <[email protected]>
 
         Crash due to column span under button element

Modified: releases/WebKitGTK/webkit-1.10/Source/WebCore/html/track/TextTrackCueList.cpp (137076 => 137077)


--- releases/WebKitGTK/webkit-1.10/Source/WebCore/html/track/TextTrackCueList.cpp	2012-12-09 16:36:53 UTC (rev 137076)
+++ releases/WebKitGTK/webkit-1.10/Source/WebCore/html/track/TextTrackCueList.cpp	2012-12-09 17:10:17 UTC (rev 137077)
@@ -92,12 +92,12 @@
     // http://www.whatwg.org/specs/web-apps/current-work/#text-track-cue-order
     RefPtr<TextTrackCue> cue = prpCue;
     if (start == end) {
-        if (!m_list.isEmpty() && (m_list[start - 1].get() == cue.get()))
+        if (!m_list.isEmpty() && (start > 0) && (m_list[start - 1].get() == cue.get()))
             return false;
 
-       m_list.insert(start, cue);
-       invalidateCueIndexes(start);
-       return true;
+        m_list.insert(start, cue);
+        invalidateCueIndexes(start);
+        return true;
     }
 
     size_t index = (start + end) / 2;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to