[webkit-changes] [192770] trunk

[mmaxfield]

Title: [192770] trunk

Revision

192770

Author

mmaxfi...@apple.com

Date

2015-11-25 11:04:03 -0800 (Wed, 25 Nov 2015)

Log Message

Checks for buffer-overflows when reading characters from textRun
https://bugs.webkit.org/show_bug.cgi?id=151055
<rdar://problem/23251789>

Patch by Pranjal Jumde <pju...@apple.com> on 2015-11-25
Reviewed by Myles C. Maxfield.

Source/WebCore:

Prevents an off by one error when adding the last font data to the GlyphBuffer.

* Source/WebCore/platform/graphics/WidthIterator.cpp:
* Source/WebCore/platform/graphics/FontCascade.cpp:

LayoutTests:

* dom/html/level1/core/151055_asan.html:
* dom/html/level1/core/151055_asan-expected.txt:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/graphics/FontCascade.cpp
• trunk/Source/WebCore/platform/graphics/WidthIterator.cpp

Added Paths

• trunk/LayoutTests/dom/html/level1/core/151055_asan-expected.txt
• trunk/LayoutTests/dom/html/level1/core/151055_asan.html

Diff

Modified: trunk/LayoutTests/ChangeLog (192769 => 192770)

--- trunk/LayoutTests/ChangeLog	2015-11-25 08:48:36 UTC (rev 192769)
+++ trunk/LayoutTests/ChangeLog	2015-11-25 19:04:03 UTC (rev 192770)
@@ -1,3 +1,14 @@
+2015-11-25  Pranjal Jumde  <pju...@apple.com>
+
+        Checks for buffer-overflows when reading characters from textRun
+        https://bugs.webkit.org/show_bug.cgi?id=151055
+        <rdar://problem/23251789>
+
+        Reviewed by Myles C. Maxfield.
+
+        * dom/html/level1/core/151055_asan.html:
+        * dom/html/level1/core/151055_asan-expected.txt:
+
 2015-11-24  Commit Queue  <commit-qu...@webkit.org>
 
         Unreviewed, rolling out r192536, r192722, and r192743.

Added: trunk/LayoutTests/dom/html/level1/core/151055_asan-expected.txt (0 => 192770)

--- trunk/LayoutTests/dom/html/level1/core/151055_asan-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/dom/html/level1/core/151055_asan-expected.txt	2015-11-25 19:04:03 UTC (rev 192770)
@@ -0,0 +1 @@
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055 
Property changes on: trunk/LayoutTests/dom/html/level1/core/151055_asan-expected.txt
___________________________________________________________________

Added: svn:keywords

Added: svn:eol-style

Added: trunk/LayoutTests/dom/html/level1/core/151055_asan.html (0 => 192770)

--- trunk/LayoutTests/dom/html/level1/core/151055_asan.html	                        (rev 0)
+++ trunk/LayoutTests/dom/html/level1/core/151055_asan.html	2015-11-25 19:04:03 UTC (rev 192770)
@@ -0,0 +1,19 @@
+<style>
+    div {
+        width: 200px;
+        text-decoration: underline;
+    }
+</style>
+<div id="webtest8" style="direction: rtl; text-align: justify;">
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055
+</div>
+
+<script>
+   if (window.testRunner)
+       testRunner.dumpAsText();
+   
+   var webtest8 = document.getElementById("webtest8")
+
+   webtest8.appendChild(document.createElement("image"));
+   webtest8.appendChild(document.createElement("textarea"));
+</script>

Modified: trunk/Source/WebCore/ChangeLog (192769 => 192770)

--- trunk/Source/WebCore/ChangeLog	2015-11-25 08:48:36 UTC (rev 192769)
+++ trunk/Source/WebCore/ChangeLog	2015-11-25 19:04:03 UTC (rev 192770)
@@ -1,3 +1,16 @@
+2015-11-25  Pranjal Jumde  <pju...@apple.com>
+
+        Checks for buffer-overflows when reading characters from textRun
+        https://bugs.webkit.org/show_bug.cgi?id=151055
+        <rdar://problem/23251789>
+
+        Reviewed by Myles C. Maxfield.
+
+        Prevents an off by one error when adding the last font data to the GlyphBuffer.
+
+        * Source/WebCore/platform/graphics/WidthIterator.cpp:
+        * Source/WebCore/platform/graphics/FontCascade.cpp:
+
 2015-11-22  Andy Estes  <aes...@apple.com>
 
         Teach MiniBrowser how to enable the mock content filter

Modified: trunk/Source/WebCore/platform/graphics/FontCascade.cpp (192769 => 192770)

--- trunk/Source/WebCore/platform/graphics/FontCascade.cpp	2015-11-25 08:48:36 UTC (rev 192769)
+++ trunk/Source/WebCore/platform/graphics/FontCascade.cpp	2015-11-25 19:04:03 UTC (rev 192770)
@@ -1154,6 +1154,7 @@
 
     if (offsetInString == GlyphBuffer::noOffset || offsetInString >= textRun.length()) {
         // We have no idea which character spawned this glyph. Bail.
+        ASSERT_WITH_SECURITY_IMPLICATION(offsetInString < textRun.length());
         return GlyphToPathTranslator::GlyphUnderlineType::DrawOverGlyph;
     }
     

Modified: trunk/Source/WebCore/platform/graphics/WidthIterator.cpp (192769 => 192770)

--- trunk/Source/WebCore/platform/graphics/WidthIterator.cpp	2015-11-25 08:48:36 UTC (rev 192769)
+++ trunk/Source/WebCore/platform/graphics/WidthIterator.cpp	2015-11-25 19:04:03 UTC (rev 192770)
@@ -400,9 +400,9 @@
 
     if (leftoverJustificationWidth) {
         if (m_forTextEmphasis)
-            glyphBuffer->add(lastFontData->zeroWidthSpaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length());
+            glyphBuffer->add(lastFontData->zeroWidthSpaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length() - 1);
         else
-            glyphBuffer->add(lastFontData->spaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length());
+            glyphBuffer->add(lastFontData->spaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length() - 1);
     }
 
     auto transformsType = shouldApplyFontTransforms(glyphBuffer, lastGlyphCount, previousCharacter);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes