Title: [112723] trunk
- Revision
- 112723
- Author
- [email protected]
- Date
- 2012-03-30 13:55:48 -0700 (Fri, 30 Mar 2012)
Log Message
Fix defective size_t overflow in GestureTapHighlighter.
https://bugs.webkit.org/show_bug.cgi?id=82605
Patch by Zalan Bujtas <[email protected]> on 2012-03-30
Reviewed by Kenneth Rohde Christiansen.
.:
* ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html: Added.
Source/WebCore:
In pathForRenderer, the for loop has 'i < rects().size() - 1' as test _expression_,
where rects().size() returns with size_t.
In case of empty rect, it leads to unsigned int overflow. Overflow value makes
the associated for loop run with invalid values.
Fix it by making loop variable int and stop using size_t type in the test _expression_.
Also, return early, if no focus ring found.
Manual test added. Tap gesture highlighter is getting triggered by UI process.
* page/GestureTapHighlighter.cpp:
Modified Paths
Added Paths
Diff
Modified: trunk/ChangeLog (112722 => 112723)
--- trunk/ChangeLog 2012-03-30 20:55:47 UTC (rev 112722)
+++ trunk/ChangeLog 2012-03-30 20:55:48 UTC (rev 112723)
@@ -1,3 +1,12 @@
+2012-03-30 Zalan Bujtas <[email protected]>
+
+ Fix defective size_t overflow in GestureTapHighlighter.
+ https://bugs.webkit.org/show_bug.cgi?id=82605
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ * ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html: Added.
+
2012-03-30 David Barr <[email protected]>
Split up top-level .gitignore and .gitattributes
Added: trunk/ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html (0 => 112723)
--- trunk/ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html (rev 0)
+++ trunk/ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html 2012-03-30 20:55:48 UTC (rev 112723)
@@ -0,0 +1,12 @@
+<html>
+<body>
+ <p>This test verifies that touch gesture on an iframe does not crash when tap highlighting is on.</p>
+ <p style='color:green'>Tapping on the iframe should not crash.</p>
+ <iframe src=''>
+ </iframe>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (112722 => 112723)
--- trunk/Source/WebCore/ChangeLog 2012-03-30 20:55:47 UTC (rev 112722)
+++ trunk/Source/WebCore/ChangeLog 2012-03-30 20:55:48 UTC (rev 112723)
@@ -1,3 +1,21 @@
+2012-03-30 Zalan Bujtas <[email protected]>
+
+ Fix defective size_t overflow in GestureTapHighlighter.
+ https://bugs.webkit.org/show_bug.cgi?id=82605
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ In pathForRenderer, the for loop has 'i < rects().size() - 1' as test _expression_,
+ where rects().size() returns with size_t.
+ In case of empty rect, it leads to unsigned int overflow. Overflow value makes
+ the associated for loop run with invalid values.
+ Fix it by making loop variable int and stop using size_t type in the test _expression_.
+ Also, return early, if no focus ring found.
+
+ Manual test added. Tap gesture highlighter is getting triggered by UI process.
+
+ * page/GestureTapHighlighter.cpp:
+
2012-03-30 Mark Pilgrim <[email protected]>
GEOLOCATION should be implemented as Page Supplement
Modified: trunk/Source/WebCore/page/GestureTapHighlighter.cpp (112722 => 112723)
--- trunk/Source/WebCore/page/GestureTapHighlighter.cpp 2012-03-30 20:55:47 UTC (rev 112722)
+++ trunk/Source/WebCore/page/GestureTapHighlighter.cpp 2012-03-30 20:55:48 UTC (rev 112723)
@@ -143,12 +143,19 @@
Vector<IntRect> rects;
o->addFocusRingRects(rects, /* acc. offset */ ownerFrameToMainFrameOffset(o));
+ if (rects.isEmpty())
+ return path;
+
// The basic idea is to allow up to three different boxes in order to highlight
// text with line breaks more nicer than using a bounding box.
// Merge all center boxes (all but the first and the last).
LayoutRect mid;
- for (size_t i = 1; i < rects.size() - 1; ++i)
+
+ // Set the end value to integer. It ensures that no unsigned int overflow occurs
+ // in the test _expression_, in case of empty rects vector.
+ int end = rects.size() - 1;
+ for (int i = 1; i < end; ++i)
mid.uniteIfNonZero(rects.at(i));
Vector<LayoutRect> drawableRects;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
