Title: [192499] trunk
- Revision
- 192499
- Author
- bfulg...@apple.com
- Date
- 2015-11-16 17:19:10 -0800 (Mon, 16 Nov 2015)
Log Message
Source/WebCore:
Fixes the buffer-overflow when reading characters from textRun
https://bugs.webkit.org/attachment.cgi?bugid=151055
<rdar://problem/23251789>
Patch by Pranjal Jumde <pju...@apple.com> on 2015-11-16
Reviewed by Brent Fulgham.
* platform/graphics/FontCascade.cpp
LayoutTests:
Checks for buffer-overflows when reading characters from textRun
https://bugs.webkit.org/attachment.cgi?bugid=151055
<rdar://problem/23251789>
Patch by Pranjal Jumde <pju...@apple.com> on 2015-11-16
Reviewed by Brent Fulgham.
* webgl/1.0.3/151055_asan-expected.txt
* webgl/1.0.3/151055_asan.html
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (192498 => 192499)
--- trunk/LayoutTests/ChangeLog 2015-11-17 00:53:05 UTC (rev 192498)
+++ trunk/LayoutTests/ChangeLog 2015-11-17 01:19:10 UTC (rev 192499)
@@ -1,3 +1,14 @@
+2015-11-16 Pranjal Jumde <pju...@apple.com>
+
+ Checks for buffer-overflows when reading characters from textRun
+ https://bugs.webkit.org/attachment.cgi?bugid=151055
+ <rdar://problem/23251789>
+
+ Reviewed by Brent Fulgham.
+
+ * webgl/1.0.3/151055_asan-expected.txt
+ * webgl/1.0.3/151055_asan.html
+
2015-11-16 Brady Eidson <beid...@apple.com>
Modern IDB:Make in-memory ObjectStore cursors work.
Added: trunk/LayoutTests/webgl/1.0.3/151055_asan-expected.txt (0 => 192499)
--- trunk/LayoutTests/webgl/1.0.3/151055_asan-expected.txt (rev 0)
+++ trunk/LayoutTests/webgl/1.0.3/151055_asan-expected.txt 2015-11-17 01:19:10 UTC (rev 192499)
@@ -0,0 +1 @@
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055.
Added: trunk/LayoutTests/webgl/1.0.3/151055_asan.html (0 => 192499)
--- trunk/LayoutTests/webgl/1.0.3/151055_asan.html (rev 0)
+++ trunk/LayoutTests/webgl/1.0.3/151055_asan.html 2015-11-17 01:19:10 UTC (rev 192499)
@@ -0,0 +1,28 @@
+<style>
+ div {
+ width: 200px;
+ font-size: 20px;
+ text-decoration: underline;
+ }
+</style>
+<div id="webtest8" style="direction: rtl; text-align: justify;">
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055.
+</div>
+<script>
+
+function webtest_fn_3() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ var canvas = document.createElement("canvas");
+ gl = canvas.getContext("webgl");
+
+ try {
+ gl.isBuffer(document.getElementById("webtest8").appendChild(document.createElement("image")).createBuffer())
+ }
+ catch(er) { };
+
+ gl.viewport(document.getElementById("webtest8").appendChild(document.createElement("textarea")).cols, 0, 0, 32769);
+}
+webtest_fn_3();
+</script>
Modified: trunk/Source/WebCore/ChangeLog (192498 => 192499)
--- trunk/Source/WebCore/ChangeLog 2015-11-17 00:53:05 UTC (rev 192498)
+++ trunk/Source/WebCore/ChangeLog 2015-11-17 01:19:10 UTC (rev 192499)
@@ -1,3 +1,13 @@
+2015-11-16 Pranjal Jumde <pju...@apple.com>
+
+ Fixes the buffer-overflow when reading characters from textRun
+ https://bugs.webkit.org/attachment.cgi?bugid=151055
+ <rdar://problem/23251789>
+
+ Reviewed by Brent Fulgham.
+
+ * platform/graphics/FontCascade.cpp
+
2015-11-16 Brady Eidson <beid...@apple.com>
Modern IDB:Make in-memory ObjectStore cursors work.
Modified: trunk/Source/WebCore/platform/graphics/FontCascade.cpp (192498 => 192499)
--- trunk/Source/WebCore/platform/graphics/FontCascade.cpp 2015-11-17 00:53:05 UTC (rev 192498)
+++ trunk/Source/WebCore/platform/graphics/FontCascade.cpp 2015-11-17 01:19:10 UTC (rev 192499)
@@ -1152,7 +1152,7 @@
UChar32 baseCharacter;
unsigned offsetInString = glyphBuffer.offsetInString(index);
- if (offsetInString == GlyphBuffer::noOffset) {
+ if (offsetInString == GlyphBuffer::noOffset || offsetInString >= textRun.length()) {
// We have no idea which character spawned this glyph. Bail.
return GlyphToPathTranslator::GlyphUnderlineType::DrawOverGlyph;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
