Title: [98374] trunk/Source/WebCore
- Revision
- 98374
- Author
- cev...@google.com
- Date
- 2011-10-25 12:28:15 -0700 (Tue, 25 Oct 2011)
Log Message
Manage the CSS property array length correctly
https://bugs.webkit.org/show_bug.cgi?id=70783
Reviewed by Adam Barth.
* css/CSSParser.cpp:
(WebCore::CSSParser::addProperty): don't allow max length to get out of sync with the buffer.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (98373 => 98374)
--- trunk/Source/WebCore/ChangeLog 2011-10-25 19:26:04 UTC (rev 98373)
+++ trunk/Source/WebCore/ChangeLog 2011-10-25 19:28:15 UTC (rev 98374)
@@ -1,3 +1,13 @@
+2011-10-25 Chris Evans <cev...@google.com>
+
+ Manage the CSS property array length correctly
+ https://bugs.webkit.org/show_bug.cgi?id=70783
+
+ Reviewed by Adam Barth.
+
+ * css/CSSParser.cpp:
+ (WebCore::CSSParser::addProperty): don't allow max length to get out of sync with the buffer.
+
2011-10-25 Tony Chang <t...@chromium.org>
avoid unnecessary layouts of flex items during the flex pass
Modified: trunk/Source/WebCore/css/CSSParser.cpp (98373 => 98374)
--- trunk/Source/WebCore/css/CSSParser.cpp 2011-10-25 19:26:04 UTC (rev 98373)
+++ trunk/Source/WebCore/css/CSSParser.cpp 2011-10-25 19:28:15 UTC (rev 98374)
@@ -613,9 +613,9 @@
{
OwnPtr<CSSProperty> prop(adoptPtr(new CSSProperty(propId, value, important, m_currentShorthand, m_implicitShorthand)));
if (m_numParsedProperties >= m_maxParsedProperties) {
+ if (m_numParsedProperties > (UINT_MAX / sizeof(CSSProperty*)) - 32)
+ CRASH(); // Avoid inconsistencies with rollbackLastProperties.
m_maxParsedProperties += 32;
- if (m_maxParsedProperties > UINT_MAX / sizeof(CSSProperty*))
- return;
m_parsedProperties = static_cast<CSSProperty**>(fastRealloc(m_parsedProperties,
m_maxParsedProperties * sizeof(CSSProperty*)));
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
