Title: [104216] branches/safari-534.54-branch/Source/WebCore
Diff
Modified: branches/safari-534.54-branch/Source/WebCore/ChangeLog (104215 => 104216)
--- branches/safari-534.54-branch/Source/WebCore/ChangeLog 2012-01-05 22:01:31 UTC (rev 104215)
+++ branches/safari-534.54-branch/Source/WebCore/ChangeLog 2012-01-05 22:03:04 UTC (rev 104216)
@@ -1,5 +1,19 @@
2011-1-5 Lucas Forschler <[email protected]>
+ Merge 98374
+
+ 2011-10-25 Chris Evans <[email protected]>
+
+ Manage the CSS property array length correctly
+ https://bugs.webkit.org/show_bug.cgi?id=70783
+
+ Reviewed by Adam Barth.
+
+ * css/CSSParser.cpp:
+ (WebCore::CSSParser::addProperty): don't allow max length to get out of sync with the buffer.
+
+2011-1-5 Lucas Forschler <[email protected]>
+
Merge 98344
2011-10-25 Justin Schuh <[email protected]>
Modified: branches/safari-534.54-branch/Source/WebCore/css/CSSParser.cpp (104215 => 104216)
--- branches/safari-534.54-branch/Source/WebCore/css/CSSParser.cpp 2012-01-05 22:01:31 UTC (rev 104215)
+++ branches/safari-534.54-branch/Source/WebCore/css/CSSParser.cpp 2012-01-05 22:03:04 UTC (rev 104216)
@@ -583,9 +583,9 @@
{
OwnPtr<CSSProperty> prop(adoptPtr(new CSSProperty(propId, value, important, m_currentShorthand, m_implicitShorthand)));
if (m_numParsedProperties >= m_maxParsedProperties) {
+ if (m_numParsedProperties > (UINT_MAX / sizeof(CSSProperty*)) - 32)
+ CRASH(); // Avoid inconsistencies with rollbackLastProperties.
m_maxParsedProperties += 32;
- if (m_maxParsedProperties > UINT_MAX / sizeof(CSSProperty*))
- return;
m_parsedProperties = static_cast<CSSProperty**>(fastRealloc(m_parsedProperties,
m_maxParsedProperties * sizeof(CSSProperty*)));
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
