[webkit-changes] [198420] branches/safari-601.1.46-branch

Sat, 19 Mar 2016 08:34:38 -0700

Title: [198420] branches/safari-601.1.46-branch

Diff

Modified: branches/safari-601.1.46-branch/LayoutTests/ChangeLog (198419 => 198420)


--- branches/safari-601.1.46-branch/LayoutTests/ChangeLog	2016-03-18 16:03:28 UTC (rev 198419)
+++ branches/safari-601.1.46-branch/LayoutTests/ChangeLog	2016-03-18 16:04:24 UTC (rev 198420)
@@ -1,5 +1,20 @@
 2016-03-18  Babak Shafiei  <[email protected]>
 
+        Merge r192770.
+
+    2015-11-25  Pranjal Jumde  <[email protected]>
+
+            Checks for buffer-overflows when reading characters from textRun
+            https://bugs.webkit.org/show_bug.cgi?id=151055
+            <rdar://problem/23251789>
+
+            Reviewed by Myles C. Maxfield.
+
+            * dom/html/level1/core/151055_asan.html:
+            * dom/html/level1/core/151055_asan-expected.txt:
+
+2016-03-18  Babak Shafiei  <[email protected]>
+
         Merge r192514.
 
     2015-11-17  Brent Fulgham  <[email protected]>

Copied: branches/safari-601.1.46-branch/LayoutTests/dom/html/level1/core/151055_asan-expected.txt (from rev 198409, branches/safari-601-branch/LayoutTests/dom/html/level1/core/151055_asan-expected.txt) (0 => 198420)


--- branches/safari-601.1.46-branch/LayoutTests/dom/html/level1/core/151055_asan-expected.txt	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/dom/html/level1/core/151055_asan-expected.txt	2016-03-18 16:04:24 UTC (rev 198420)
@@ -0,0 +1 @@
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055

Copied: branches/safari-601.1.46-branch/LayoutTests/dom/html/level1/core/151055_asan.html (from rev 198409, branches/safari-601-branch/LayoutTests/dom/html/level1/core/151055_asan.html) (0 => 198420)


--- branches/safari-601.1.46-branch/LayoutTests/dom/html/level1/core/151055_asan.html	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/dom/html/level1/core/151055_asan.html	2016-03-18 16:04:24 UTC (rev 198420)
@@ -0,0 +1,19 @@
+<style>
+    div {
+        width: 200px;
+        text-decoration: underline;
+    }
+</style>
+<div id="webtest8" style="direction: rtl; text-align: justify;">
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055
+</div>
+
+<script>
+   if (window.testRunner)
+       testRunner.dumpAsText();
+   
+   var webtest8 = document.getElementById("webtest8")
+
+   webtest8.appendChild(document.createElement("image"));
+   webtest8.appendChild(document.createElement("textarea"));
+</script>

Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (198419 => 198420)


--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2016-03-18 16:03:28 UTC (rev 198419)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2016-03-18 16:04:24 UTC (rev 198420)
@@ -1,5 +1,22 @@
 2016-03-18  Babak Shafiei  <[email protected]>
 
+        Merge r192770.
+
+    2015-11-25  Pranjal Jumde  <[email protected]>
+
+            Checks for buffer-overflows when reading characters from textRun
+            https://bugs.webkit.org/show_bug.cgi?id=151055
+            <rdar://problem/23251789>
+
+            Reviewed by Myles C. Maxfield.
+
+            Prevents an off by one error when adding the last font data to the GlyphBuffer.
+
+            * Source/WebCore/platform/graphics/WidthIterator.cpp:
+            * Source/WebCore/platform/graphics/FontCascade.cpp:
+
+2016-03-18  Babak Shafiei  <[email protected]>
+
         Merge r192499.
 
     2015-11-16  Pranjal Jumde  <[email protected]>

Modified: branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/FontCascade.cpp (198419 => 198420)


--- branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/FontCascade.cpp	2016-03-18 16:03:28 UTC (rev 198419)
+++ branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/FontCascade.cpp	2016-03-18 16:04:24 UTC (rev 198420)
@@ -1172,6 +1172,7 @@
 
     if (offsetInString == GlyphBuffer::noOffset || offsetInString >= textRun.length()) {
         // We have no idea which character spawned this glyph. Bail.
+        ASSERT_WITH_SECURITY_IMPLICATION(offsetInString < textRun.length());
         return GlyphToPathTranslator::GlyphUnderlineType::DrawOverGlyph;
     }

Modified: branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/WidthIterator.cpp (198419 => 198420)


--- branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/WidthIterator.cpp	2016-03-18 16:03:28 UTC (rev 198419)
+++ branches/safari-601.1.46-branch/Source/WebCore/platform/graphics/WidthIterator.cpp	2016-03-18 16:04:24 UTC (rev 198420)
@@ -415,9 +415,9 @@
 
     if (leftoverJustificationWidth) {
         if (m_forTextEmphasis)
-            glyphBuffer->add(lastFontData->zeroWidthSpaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length());
+            glyphBuffer->add(lastFontData->zeroWidthSpaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length() - 1);
         else
-            glyphBuffer->add(lastFontData->spaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length());
+            glyphBuffer->add(lastFontData->spaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length() - 1);
     }
 
     auto transformsType = shouldApplyFontTransforms(glyphBuffer, lastGlyphCount, previousCharacter);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to