Title: [139213] trunk/Source/WebCore
- Revision
- 139213
- Author
- infe...@chromium.org
- Date
- 2013-01-09 11:08:58 -0800 (Wed, 09 Jan 2013)
Log Message
Mitigate out-of-bounds access in InlineIterator
https://bugs.webkit.org/show_bug.cgi?id=104812
Reviewed by Levi Weintraub.
Share code between InlineIterator::current and InlineIterator::previousInSameNode,
thereby checking for access outside text renderer's length.
* rendering/InlineIterator.h:
(InlineIterator):
(WebCore::InlineIterator::characterAt):
(WebCore):
(WebCore::InlineIterator::current):
(WebCore::InlineIterator::previousInSameNode):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (139212 => 139213)
--- trunk/Source/WebCore/ChangeLog 2013-01-09 19:06:34 UTC (rev 139212)
+++ trunk/Source/WebCore/ChangeLog 2013-01-09 19:08:58 UTC (rev 139213)
@@ -1,3 +1,20 @@
+2013-01-09 Abhishek Arya <infe...@chromium.org>
+
+ Mitigate out-of-bounds access in InlineIterator
+ https://bugs.webkit.org/show_bug.cgi?id=104812
+
+ Reviewed by Levi Weintraub.
+
+ Share code between InlineIterator::current and InlineIterator::previousInSameNode,
+ thereby checking for access outside text renderer's length.
+
+ * rendering/InlineIterator.h:
+ (InlineIterator):
+ (WebCore::InlineIterator::characterAt):
+ (WebCore):
+ (WebCore::InlineIterator::current):
+ (WebCore::InlineIterator::previousInSameNode):
+
2013-01-09 Yongjun Zhang <yongjun_zh...@apple.com>
If ImageLoader's loadEventSender or errorEventSender fires after document is detached, the document will be leaked.
Modified: trunk/Source/WebCore/rendering/InlineIterator.h (139212 => 139213)
--- trunk/Source/WebCore/rendering/InlineIterator.h 2013-01-09 19:06:34 UTC (rev 139212)
+++ trunk/Source/WebCore/rendering/InlineIterator.h 2013-01-09 19:08:58 UTC (rev 139213)
@@ -85,6 +85,7 @@
return (m_obj && m_obj->isBR()) || atTextParagraphSeparator();
}
+ UChar characterAt(unsigned) const;
UChar current() const;
UChar previousInSameNode() const;
ALWAYS_INLINE WTF::Unicode::Direction direction() const;
@@ -352,25 +353,29 @@
return !m_obj;
}
-inline UChar InlineIterator::current() const
+inline UChar InlineIterator::characterAt(unsigned index) const
{
if (!m_obj || !m_obj->isText())
return 0;
RenderText* text = toRenderText(m_obj);
- if (m_pos >= text->textLength())
+ if (index >= text->textLength())
return 0;
- return text->characterAt(m_pos);
+ return text->characterAt(index);
}
+inline UChar InlineIterator::current() const
+{
+ return characterAt(m_pos);
+}
+
inline UChar InlineIterator::previousInSameNode() const
{
- if (!m_obj || !m_obj->isText() || !m_pos)
+ if (!m_pos)
return 0;
- RenderText* text = toRenderText(m_obj);
- return text->characterAt(m_pos - 1);
+ return characterAt(m_pos - 1);
}
ALWAYS_INLINE WTF::Unicode::Direction InlineIterator::direction() const
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
