Title: [198418] branches/safari-601.1.46-branch
- Revision
- 198418
- Author
- [email protected]
- Date
- 2016-03-18 09:02:27 -0700 (Fri, 18 Mar 2016)
Log Message
Merged r192499. rdar://problem/25234899
Modified Paths
Added Paths
Diff
Modified: branches/safari-601.1.46-branch/LayoutTests/ChangeLog (198417 => 198418)
--- branches/safari-601.1.46-branch/LayoutTests/ChangeLog 2016-03-18 16:00:55 UTC (rev 198417)
+++ branches/safari-601.1.46-branch/LayoutTests/ChangeLog 2016-03-18 16:02:27 UTC (rev 198418)
@@ -1,5 +1,20 @@
2016-03-18 Babak Shafiei <[email protected]>
+ Merge r192499.
+
+ 2015-11-16 Pranjal Jumde <[email protected]>
+
+ Checks for buffer-overflows when reading characters from textRun
+ https://bugs.webkit.org/attachment.cgi?bugid=151055
+ <rdar://problem/23251789>
+
+ Reviewed by Brent Fulgham.
+
+ * webgl/1.0.3/151055_asan-expected.txt
+ * webgl/1.0.3/151055_asan.html
+
+2016-03-18 Babak Shafiei <[email protected]>
+
Merge r192252.
2015-11-10 Zalan Bujtas <[email protected]>
Copied: branches/safari-601.1.46-branch/LayoutTests/webgl/1.0.3/151055_asan-expected.txt (from rev 198406, branches/safari-601-branch/LayoutTests/webgl/1.0.3/151055_asan-expected.txt) (0 => 198418)
--- branches/safari-601.1.46-branch/LayoutTests/webgl/1.0.3/151055_asan-expected.txt (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/webgl/1.0.3/151055_asan-expected.txt 2016-03-18 16:02:27 UTC (rev 198418)
@@ -0,0 +1 @@
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055.
Copied: branches/safari-601.1.46-branch/LayoutTests/webgl/1.0.3/151055_asan.html (from rev 198406, branches/safari-601-branch/LayoutTests/webgl/1.0.3/151055_asan.html) (0 => 198418)
--- branches/safari-601.1.46-branch/LayoutTests/webgl/1.0.3/151055_asan.html (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/webgl/1.0.3/151055_asan.html 2016-03-18 16:02:27 UTC (rev 198418)
@@ -0,0 +1,28 @@
+<style>
+ div {
+ width: 200px;
+ font-size: 20px;
+ text-decoration: underline;
+ }
+</style>
+<div id="webtest8" style="direction: rtl; text-align: justify;">
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055.
+</div>
+<script>
+
+function webtest_fn_3() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ var canvas = document.createElement("canvas");
+ gl = canvas.getContext("webgl");
+
+ try {
+ gl.isBuffer(document.getElementById("webtest8").appendChild(document.createElement("image")).createBuffer())
+ }
+ catch(er) { };
+
+ gl.viewport(document.getElementById("webtest8").appendChild(document.createElement("textarea")).cols, 0, 0, 32769);
+}
+webtest_fn_3();
+</script>
Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (198417 => 198418)
--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2016-03-18 16:00:55 UTC (rev 198417)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2016-03-18 16:02:27 UTC (rev 198418)
@@ -1,5 +1,19 @@
2016-03-18 Babak Shafiei <[email protected]>
+ Merge r192499.
+
+ 2015-11-16 Pranjal Jumde <[email protected]>
+
+ Fixes the buffer-overflow when reading characters from textRun
+ https://bugs.webkit.org/attachment.cgi?bugid=151055
+ <rdar://problem/23251789>
+
+ Reviewed by Brent Fulgham.
+
+ * platform/graphics/FontCascade.cpp
+
+2016-03-18 Babak Shafiei <[email protected]>
+
Merge r192252.
2015-11-10 Zalan Bujtas <[email protected]>
Modified: branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/FontCascade.cpp (198417 => 198418)
--- branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/FontCascade.cpp 2016-03-18 16:00:55 UTC (rev 198417)
+++ branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/FontCascade.cpp 2016-03-18 16:02:27 UTC (rev 198418)
@@ -1170,7 +1170,7 @@
UChar32 baseCharacter;
unsigned offsetInString = glyphBuffer.offsetInString(index);
- if (offsetInString == GlyphBuffer::noOffset) {
+ if (offsetInString == GlyphBuffer::noOffset || offsetInString >= textRun.length()) {
// We have no idea which character spawned this glyph. Bail.
return GlyphToPathTranslator::GlyphUnderlineType::DrawOverGlyph;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
