[webkit-changes] [236666] trunk/Source/WebCore

Mon, 01 Oct 2018 10:20:58 -0700

Title: [236666] trunk/Source/WebCore
Revision
236666
Author
commit-qu...@webkit.org
Date
2018-10-01 10:19:47 -0700 (Mon, 01 Oct 2018)

Log Message

[WPE] fix buffer over-read in RenderThemeWPE::mediaControlsStyleSheet()
https://bugs.webkit.org/show_bug.cgi?id=190139

Patch by Olivier Blin <olivier.b...@softathome.com> on 2018-10-01
Reviewed by Michael Catanzaro.

Like done upstream for EFL in r210213
https://bugs.webkit.org/show_bug.cgi?id=166622

This has been detected by a charactersAreAllASCII() assert failure.

This is because ASCIILiteral() is wrongly used in mediaControlsStyleSheet().
mediaControlsBaseUserAgentStyleSheet is a char array, not a null-terminated string.
It is thus incorrect to use StringImpl::createFromLiteral() that calls
strlen() to get the string length.

The String::ConstructFromLiteral constructor can not be used, since it
skips the last character.

* platform/wpe/RenderThemeWPE.cpp:
(WebCore::RenderThemeWPE::mediaControlsStyleSheet):
Explicitely pass the size to the String constructor.

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (236665 => 236666)


--- trunk/Source/WebCore/ChangeLog	2018-10-01 17:16:54 UTC (rev 236665)
+++ trunk/Source/WebCore/ChangeLog	2018-10-01 17:19:47 UTC (rev 236666)
@@ -1,3 +1,27 @@
+2018-10-01  Olivier Blin  <olivier.b...@softathome.com>
+
+        [WPE] fix buffer over-read in RenderThemeWPE::mediaControlsStyleSheet()
+        https://bugs.webkit.org/show_bug.cgi?id=190139
+
+        Reviewed by Michael Catanzaro.
+
+        Like done upstream for EFL in r210213
+        https://bugs.webkit.org/show_bug.cgi?id=166622
+
+        This has been detected by a charactersAreAllASCII() assert failure.
+
+        This is because ASCIILiteral() is wrongly used in mediaControlsStyleSheet().
+        mediaControlsBaseUserAgentStyleSheet is a char array, not a null-terminated string.
+        It is thus incorrect to use StringImpl::createFromLiteral() that calls
+        strlen() to get the string length.
+
+        The String::ConstructFromLiteral constructor can not be used, since it
+        skips the last character.
+
+        * platform/wpe/RenderThemeWPE.cpp:
+        (WebCore::RenderThemeWPE::mediaControlsStyleSheet):
+        Explicitely pass the size to the String constructor.
+
 2018-10-01  Rob Buis  <rb...@igalia.com>
 
         Align XMLHttpRequest's overrideMimeType() with the standard

Modified: trunk/Source/WebCore/platform/wpe/RenderThemeWPE.cpp (236665 => 236666)


--- trunk/Source/WebCore/platform/wpe/RenderThemeWPE.cpp	2018-10-01 17:16:54 UTC (rev 236665)
+++ trunk/Source/WebCore/platform/wpe/RenderThemeWPE.cpp	2018-10-01 17:19:47 UTC (rev 236666)
@@ -52,7 +52,7 @@
 #if ENABLE(VIDEO)
 String RenderThemeWPE::mediaControlsStyleSheet()
 {
-    return ASCIILiteral::fromLiteralUnsafe(mediaControlsBaseUserAgentStyleSheet);
+    return String(mediaControlsBaseUserAgentStyleSheet, sizeof(mediaControlsBaseUserAgentStyleSheet));
 }
 
 String RenderThemeWPE::mediaControlsScript()

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to