Diff
Modified: branches/safari-537.75-branch/LayoutTests/ChangeLog (165122 => 165123)
--- branches/safari-537.75-branch/LayoutTests/ChangeLog 2014-03-05 21:13:56 UTC (rev 165122)
+++ branches/safari-537.75-branch/LayoutTests/ChangeLog 2014-03-05 21:25:38 UTC (rev 165123)
@@ -1,5 +1,26 @@
2014-03-05 Matthew Hanson <[email protected]>
+ Merge r163465.
+
+ 2014-02-04 Myles C. Maxfield <[email protected]>
+
+ Move characterAt index checks from InlineIterator to RenderText
+ https://bugs.webkit.org/show_bug.cgi?id=128224
+
+ Move characterAt index checks from InlineIterator to RenderText
+ so that all RenderText calls are covered. Few safe instances are
+ now covered with uncheckedCharacterAt.
+
+ Merged from Blink:
+ http://src.chromium.org/viewvc/blink?view=revision&revision=150830
+
+ Reviewed by Simon Fraser.
+
+ * fast/text/character-at-crash-expected.txt: Added.
+ * fast/text/character-at-crash.html: Added.
+
+2014-03-05 Matthew Hanson <[email protected]>
+
Merge r164933.
2014-03-01 David Kilzer <[email protected]>
Copied: branches/safari-537.75-branch/LayoutTests/fast/text/character-at-crash-expected.txt (from rev 163465, trunk/LayoutTests/fast/text/character-at-crash-expected.txt) (0 => 165123)
--- branches/safari-537.75-branch/LayoutTests/fast/text/character-at-crash-expected.txt (rev 0)
+++ branches/safari-537.75-branch/LayoutTests/fast/text/character-at-crash-expected.txt 2014-03-05 21:25:38 UTC (rev 165123)
@@ -0,0 +1 @@
+Pass. Test didn't crash.
Copied: branches/safari-537.75-branch/LayoutTests/fast/text/character-at-crash.html (from rev 163465, trunk/LayoutTests/fast/text/character-at-crash.html) (0 => 165123)
--- branches/safari-537.75-branch/LayoutTests/fast/text/character-at-crash.html (rev 0)
+++ branches/safari-537.75-branch/LayoutTests/fast/text/character-at-crash.html 2014-03-05 21:25:38 UTC (rev 165123)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<style>
+div {
+ -webkit-writing-mode: vertical-lr;
+ -webkit-text-combine: horizontal;
+ height: 7px;
+ white-space: pre-wrap;
+}
+</style>
+<div>
+foo
+ <script></script>
+ <script></script>
+</div>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+document.documentElement.offsetTop;
+document.documentElement.innerHTML = "Pass. Test didn't crash.";
+</script>
+</html>
Modified: branches/safari-537.75-branch/Source/WebCore/ChangeLog (165122 => 165123)
--- branches/safari-537.75-branch/Source/WebCore/ChangeLog 2014-03-05 21:13:56 UTC (rev 165122)
+++ branches/safari-537.75-branch/Source/WebCore/ChangeLog 2014-03-05 21:25:38 UTC (rev 165123)
@@ -1,5 +1,34 @@
2014-03-05 Matthew Hanson <[email protected]>
+ Merge r163465.
+
+ 2014-02-04 Myles C. Maxfield <[email protected]>
+
+ Move characterAt index checks from InlineIterator to RenderText
+ https://bugs.webkit.org/show_bug.cgi?id=128224
+
+ Reviewed by Simon Fraser.
+
+ Move characterAt index checks from InlineIterator to RenderText
+ so that all RenderText calls are covered. Few safe instances are
+ now covered with uncheckedCharacterAt.
+
+ Merged from Blink:
+ http://src.chromium.org/viewvc/blink?view=revision&revision=150830
+
+ Test: fast/text/character-at-crash.html
+
+ * rendering/InlineIterator.h:
+ (WebCore::InlineIterator::characterAt):
+ * rendering/RenderText.cpp:
+ (WebCore::RenderText::computePreferredLogicalWidths):
+ * rendering/RenderText.h:
+ (WebCore::RenderText::operator[]):
+ (WebCore::RenderText::uncheckedCharacterAt):
+ (WebCore::RenderText::characterAt):
+
+2014-03-05 Matthew Hanson <[email protected]>
+
Merge r164933.
2014-03-01 David Kilzer <[email protected]>
Modified: branches/safari-537.75-branch/Source/WebCore/rendering/InlineIterator.h (165122 => 165123)
--- branches/safari-537.75-branch/Source/WebCore/rendering/InlineIterator.h 2014-03-05 21:13:56 UTC (rev 165122)
+++ branches/safari-537.75-branch/Source/WebCore/rendering/InlineIterator.h 2014-03-05 21:25:38 UTC (rev 165123)
@@ -374,11 +374,7 @@
if (!m_obj || !m_obj->isText())
return 0;
- RenderText* text = toRenderText(m_obj);
- if (index >= text->textLength())
- return 0;
-
- return text->characterAt(index);
+ return toRenderText(m_obj)->characterAt(index);
}
inline UChar InlineIterator::current() const
Modified: branches/safari-537.75-branch/Source/WebCore/rendering/RenderText.cpp (165122 => 165123)
--- branches/safari-537.75-branch/Source/WebCore/rendering/RenderText.cpp 2014-03-05 21:13:56 UTC (rev 165122)
+++ branches/safari-537.75-branch/Source/WebCore/rendering/RenderText.cpp 2014-03-05 21:25:38 UTC (rev 165123)
@@ -995,7 +995,7 @@
bool breakAll = (styleToUse->wordBreak() == BreakAllWordBreak || styleToUse->wordBreak() == BreakWordBreak) && styleToUse->autoWrap();
for (int i = 0; i < len; i++) {
- UChar c = characterAt(i);
+ UChar c = uncheckedCharacterAt(i);
bool previousCharacterIsSpace = isSpace;
@@ -1047,7 +1047,7 @@
j++;
if (j == len)
break;
- c = characterAt(j);
+ c = uncheckedCharacterAt(j);
if (isBreakable(breakIterator, j, nextBreakable, breakNBSP) && characterAt(j - 1) != softHyphen)
break;
if (breakAll) {
Modified: branches/safari-537.75-branch/Source/WebCore/rendering/RenderText.h (165122 => 165123)
--- branches/safari-537.75-branch/Source/WebCore/rendering/RenderText.h 2014-03-05 21:13:56 UTC (rev 165122)
+++ branches/safari-537.75-branch/Source/WebCore/rendering/RenderText.h 2014-03-05 21:25:38 UTC (rev 165123)
@@ -70,8 +70,9 @@
const LChar* characters8() const { return m_text.impl()->characters8(); }
const UChar* characters16() const { return m_text.impl()->characters16(); }
const UChar* characters() const { return m_text.characters(); }
- UChar characterAt(unsigned i) const { return is8Bit() ? characters8()[i] : characters16()[i]; }
- UChar operator[](unsigned i) const { return characterAt(i); }
+ UChar characterAt(unsigned) const;
+ UChar uncheckedCharacterAt(unsigned) const;
+ UChar operator[](unsigned i) const { return uncheckedCharacterAt(i); }
unsigned textLength() const { return m_text.length(); } // non virtual implementation of length()
void positionLineBox(InlineBox*);
@@ -198,6 +199,20 @@
InlineTextBox* m_lastTextBox;
};
+inline UChar RenderText::uncheckedCharacterAt(unsigned i) const
+{
+ ASSERT_WITH_SECURITY_IMPLICATION(i < textLength());
+ return is8Bit() ? characters8()[i] : characters16()[i];
+}
+
+inline UChar RenderText::characterAt(unsigned i) const
+{
+ if (i >= textLength())
+ return 0;
+
+ return uncheckedCharacterAt(i);
+}
+
inline RenderText* toRenderText(RenderObject* object)
{
ASSERT_WITH_SECURITY_IMPLICATION(!object || object->isText());
