Title: [281019] branches/safari-612.1.28-branch/Source/WebCore
- Revision
- 281019
- Author
- alanc...@apple.com
- Date
- 2021-08-13 08:38:40 -0700 (Fri, 13 Aug 2021)
Log Message
Cherry-pick r281008. rdar://problem/81901037
Fix bounds checks for WhitespaceCache string lengths
https://bugs.webkit.org/show_bug.cgi?id=229066
<rdar://81850871>
Reviewed by Simon Fraser.
When the whitespace string length is maximumWhitespaceStringLength,
we read from and write to one element past the end of m_codes and
m_indexes. Since we don't need to store codes and indexes for zero
length strings, subtract one from the index we use.
* html/parser/HTMLConstructionSite.cpp:
(WebCore::WhitespaceCache::lookup):
* html/parser/HTMLConstructionSite.h:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281008 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-612.1.28-branch/Source/WebCore/ChangeLog (281018 => 281019)
--- branches/safari-612.1.28-branch/Source/WebCore/ChangeLog 2021-08-13 15:30:09 UTC (rev 281018)
+++ branches/safari-612.1.28-branch/Source/WebCore/ChangeLog 2021-08-13 15:38:40 UTC (rev 281019)
@@ -1,3 +1,42 @@
+2021-08-13 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r281008. rdar://problem/81901037
+
+ Fix bounds checks for WhitespaceCache string lengths
+ https://bugs.webkit.org/show_bug.cgi?id=229066
+ <rdar://81850871>
+
+ Reviewed by Simon Fraser.
+
+ When the whitespace string length is maximumWhitespaceStringLength,
+ we read from and write to one element past the end of m_codes and
+ m_indexes. Since we don't need to store codes and indexes for zero
+ length strings, subtract one from the index we use.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::WhitespaceCache::lookup):
+ * html/parser/HTMLConstructionSite.h:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281008 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-08-12 Cameron McCormack <hey...@apple.com>
+
+ Fix bounds checks for WhitespaceCache string lengths
+ https://bugs.webkit.org/show_bug.cgi?id=229066
+ <rdar://81850871>
+
+ Reviewed by Simon Fraser.
+
+ When the whitespace string length is maximumWhitespaceStringLength,
+ we read from and write to one element past the end of m_codes and
+ m_indexes. Since we don't need to store codes and indexes for zero
+ length strings, subtract one from the index we use.
+
+ * html/parser/HTMLConstructionSite.cpp:
+ (WebCore::WhitespaceCache::lookup):
+ * html/parser/HTMLConstructionSite.h:
+
2021-08-12 Youenn Fablet <you...@apple.com>
Implement SFrameTransform error handling
Modified: branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp (281018 => 281019)
--- branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2021-08-13 15:30:09 UTC (rev 281018)
+++ branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp 2021-08-13 15:38:40 UTC (rev 281019)
@@ -891,24 +891,25 @@
if (!code)
return AtomString();
- if (m_codes[length] == code) {
- ASSERT(m_atoms[m_indexes[length]] == string);
- return m_atoms[m_indexes[length]];
+ size_t lengthIndex = length - 1;
+ if (m_codes[lengthIndex] == code) {
+ ASSERT(m_atoms[m_indexes[lengthIndex]] == string);
+ return m_atoms[m_indexes[lengthIndex]];
}
if (code == overflowWhitespaceCode)
return AtomString(string);
- if (m_codes[length]) {
+ if (m_codes[lengthIndex]) {
AtomString whitespaceAtom(string);
- m_codes[length] = code;
- m_atoms[m_indexes[length]] = whitespaceAtom;
+ m_codes[lengthIndex] = code;
+ m_atoms[m_indexes[lengthIndex]] = whitespaceAtom;
return whitespaceAtom;
}
AtomString whitespaceAtom(string);
- m_codes[length] = code;
- m_indexes[length] = m_atoms.size();
+ m_codes[lengthIndex] = code;
+ m_indexes[lengthIndex] = m_atoms.size();
m_atoms.append(whitespaceAtom);
return whitespaceAtom;
}
Modified: branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.h (281018 => 281019)
--- branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.h 2021-08-13 15:30:09 UTC (rev 281018)
+++ branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.h 2021-08-13 15:38:40 UTC (rev 281019)
@@ -238,7 +238,9 @@
constexpr static size_t maximumCachedStringLength = 128;
// Parallel arrays storing a 64 bit code and an index into m_atoms for the
- // most recently atomized whitespace-only string of a given length.
+ // most recently atomized whitespace-only string of a given length. The
+ // indices into these two arrays are the string length minus 1, so the code
+ // for a whitespace-only string of length 2 is stored at m_codes[1], etc.
uint64_t m_codes[maximumCachedStringLength] { 0 };
uint8_t m_indexes[maximumCachedStringLength] { 0 };
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes