[webkit-changes] [95215] branches/safari-534.51-branch/Source/WebCore

[mrowe]

Title: [95215] branches/safari-534.51-branch/Source/WebCore

Revision

95215

Author

mr...@apple.com

Date

2011-09-15 12:39:51 -0700 (Thu, 15 Sep 2011)

Log Message

Merge r88139.

Modified Paths

branches/safari-534.51-branch/Source/WebCore/ChangeLog
branches/safari-534.51-branch/Source/WebCore/platform/graphics/TextRun.h
branches/safari-534.51-branch/Source/WebCore/platform/graphics/WidthIterator.cpp
branches/safari-534.51-branch/Source/WebCore/platform/graphics/chromium/ComplexTextControllerLinux.cpp
branches/safari-534.51-branch/Source/WebCore/svg/SVGFont.cpp

Diff

Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (95214 => 95215)

--- branches/safari-534.51-branch/Source/WebCore/ChangeLog	2011-09-15 19:32:12 UTC (rev 95214)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog	2011-09-15 19:39:51 UTC (rev 95215)
@@ -1,5 +1,35 @@
 2011-09-15  Mark Rowe  <mr...@apple.com>
 
+        Merge r88139.
+
+    2011-06-04  Abhishek Arya  <infe...@chromium.org>
+
+        Reviewed by Kent Tamura.
+
+        Add some asserts for array boundary checks in TextRun. Fix
+        an integer issue in linux text controller code.
+        https://bugs.webkit.org/show_bug.cgi?id=62085
+
+        Testing ComplexTextControllerLinux change requires a testcase
+        > 32 kb which is not feasible. All other changes are tested by
+        existing layouttests.
+
+        * platform/graphics/TextRun.h:
+        (WebCore::TextRun::operator[]): add assert.
+        (WebCore::TextRun::data): add assert.
+        * platform/graphics/WidthIterator.cpp:
+        (WebCore::WidthIterator::advance): bail early and prevent access
+        to one byte across the text run boundary.
+        * platform/graphics/chromium/ComplexTextControllerLinux.cpp:
+        (WebCore::ComplexTextController::getNormalizedTextRun): wrong
+        int16 vs int comparison.
+        * rendering/svg/SVGTextRunRenderingContext.cpp:
+        (WebCore::SVGTextRunWalker::walk): bail early when from and to
+        is outside the text run boundary. this hit easily after adding
+        the assert when from = to = end and read in run.data(from). 
+
+2011-09-15  Mark Rowe  <mr...@apple.com>
+
         Merge r90568.
 
     2011-07-07  Julien Chaffraix  <jchaffr...@webkit.org>

Modified: branches/safari-534.51-branch/Source/WebCore/platform/graphics/TextRun.h (95214 => 95215)

--- branches/safari-534.51-branch/Source/WebCore/platform/graphics/TextRun.h	2011-09-15 19:32:12 UTC (rev 95214)
+++ branches/safari-534.51-branch/Source/WebCore/platform/graphics/TextRun.h	2011-09-15 19:39:51 UTC (rev 95215)
@@ -83,8 +83,8 @@
     {
     }
 
-    UChar operator[](int i) const { return m_characters[i]; }
-    const UChar* data(int i) const { return &m_characters[i]; }
+    UChar operator[](int i) const { ASSERT(i >= 0 && i < m_len); return m_characters[i]; }
+    const UChar* data(int i) const { ASSERT(i >= 0 && i < m_len); return &m_characters[i]; }
 
     const UChar* characters() const { return m_characters; }
     int length() const { return m_len; }

Modified: branches/safari-534.51-branch/Source/WebCore/platform/graphics/WidthIterator.cpp (95214 => 95215)

--- branches/safari-534.51-branch/Source/WebCore/platform/graphics/WidthIterator.cpp	2011-09-15 19:32:12 UTC (rev 95214)
+++ branches/safari-534.51-branch/Source/WebCore/platform/graphics/WidthIterator.cpp	2011-09-15 19:39:51 UTC (rev 95215)
@@ -80,6 +80,9 @@
         offset = m_end;
 
     int currentCharacter = m_currentCharacter;
+    if (currentCharacter >= offset)
+        return;
+
     const UChar* cp = m_run.data(currentCharacter);
 
     bool rtl = m_run.rtl();

Modified: branches/safari-534.51-branch/Source/WebCore/platform/graphics/chromium/ComplexTextControllerLinux.cpp (95214 => 95215)

--- branches/safari-534.51-branch/Source/WebCore/platform/graphics/chromium/ComplexTextControllerLinux.cpp	2011-09-15 19:32:12 UTC (rev 95214)
+++ branches/safari-534.51-branch/Source/WebCore/platform/graphics/chromium/ComplexTextControllerLinux.cpp	2011-09-15 19:39:51 UTC (rev 95215)
@@ -367,7 +367,7 @@
     icu::UnicodeString normalizedString;
     UErrorCode error = U_ZERO_ERROR;
 
-    for (int16_t i = 0; i < originalRun.length(); ++i) {
+    for (int i = 0; i < originalRun.length(); ++i) {
         UChar ch = originalRun[i];
         if (::ublock_getCode(ch) == UBLOCK_COMBINING_DIACRITICAL_MARKS) {
             icu::Normalizer::normalize(icu::UnicodeString(originalRun.characters(),

Modified: branches/safari-534.51-branch/Source/WebCore/svg/SVGFont.cpp (95214 => 95215)

--- branches/safari-534.51-branch/Source/WebCore/svg/SVGFont.cpp	2011-09-15 19:32:12 UTC (rev 95214)
+++ branches/safari-534.51-branch/Source/WebCore/svg/SVGFont.cpp	2011-09-15 19:39:51 UTC (rev 95215)
@@ -90,7 +90,8 @@
 
     void walk(const TextRun& run, bool isVerticalText, const String& language, int from, int to)
     {
-        ASSERT(0 <= from && from <= to && to - from <= run.length());
+        if (from < 0 || to < 0 || from > to || from >= run.length() || to > run.length())
+            return;         
 
         const String text = Font::normalizeSpaces(run.data(from), to - from);
         Vector<SVGGlyph::ArabicForm> chars(charactersWithArabicForm(text, run.rtl()));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes