Title: [281019] branches/safari-612.1.28-branch/Source/WebCore
Revision
281019
Author
alanc...@apple.com
Date
2021-08-13 08:38:40 -0700 (Fri, 13 Aug 2021)

Log Message

Cherry-pick r281008. rdar://problem/81901037

    Fix bounds checks for WhitespaceCache string lengths
    https://bugs.webkit.org/show_bug.cgi?id=229066
    <rdar://81850871>

    Reviewed by Simon Fraser.

    When the whitespace string length is maximumWhitespaceStringLength,
    we read from and write to one element past the end of m_codes and
    m_indexes. Since we don't need to store codes and indexes for zero
    length strings, subtract one from the index we use.

    * html/parser/HTMLConstructionSite.cpp:
    (WebCore::WhitespaceCache::lookup):
    * html/parser/HTMLConstructionSite.h:

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281008 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-612.1.28-branch/Source/WebCore/ChangeLog (281018 => 281019)


--- branches/safari-612.1.28-branch/Source/WebCore/ChangeLog	2021-08-13 15:30:09 UTC (rev 281018)
+++ branches/safari-612.1.28-branch/Source/WebCore/ChangeLog	2021-08-13 15:38:40 UTC (rev 281019)
@@ -1,3 +1,42 @@
+2021-08-13  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r281008. rdar://problem/81901037
+
+    Fix bounds checks for WhitespaceCache string lengths
+    https://bugs.webkit.org/show_bug.cgi?id=229066
+    <rdar://81850871>
+    
+    Reviewed by Simon Fraser.
+    
+    When the whitespace string length is maximumWhitespaceStringLength,
+    we read from and write to one element past the end of m_codes and
+    m_indexes. Since we don't need to store codes and indexes for zero
+    length strings, subtract one from the index we use.
+    
+    * html/parser/HTMLConstructionSite.cpp:
+    (WebCore::WhitespaceCache::lookup):
+    * html/parser/HTMLConstructionSite.h:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281008 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-08-12  Cameron McCormack  <hey...@apple.com>
+
+            Fix bounds checks for WhitespaceCache string lengths
+            https://bugs.webkit.org/show_bug.cgi?id=229066
+            <rdar://81850871>
+
+            Reviewed by Simon Fraser.
+
+            When the whitespace string length is maximumWhitespaceStringLength,
+            we read from and write to one element past the end of m_codes and
+            m_indexes. Since we don't need to store codes and indexes for zero
+            length strings, subtract one from the index we use.
+
+            * html/parser/HTMLConstructionSite.cpp:
+            (WebCore::WhitespaceCache::lookup):
+            * html/parser/HTMLConstructionSite.h:
+
 2021-08-12  Youenn Fablet  <you...@apple.com>
 
         Implement SFrameTransform error handling

Modified: branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp (281018 => 281019)


--- branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2021-08-13 15:30:09 UTC (rev 281018)
+++ branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.cpp	2021-08-13 15:38:40 UTC (rev 281019)
@@ -891,24 +891,25 @@
     if (!code)
         return AtomString();
 
-    if (m_codes[length] == code) {
-        ASSERT(m_atoms[m_indexes[length]] == string);
-        return m_atoms[m_indexes[length]];
+    size_t lengthIndex = length - 1;
+    if (m_codes[lengthIndex] == code) {
+        ASSERT(m_atoms[m_indexes[lengthIndex]] == string);
+        return m_atoms[m_indexes[lengthIndex]];
     }
 
     if (code == overflowWhitespaceCode)
         return AtomString(string);
 
-    if (m_codes[length]) {
+    if (m_codes[lengthIndex]) {
         AtomString whitespaceAtom(string);
-        m_codes[length] = code;
-        m_atoms[m_indexes[length]] = whitespaceAtom;
+        m_codes[lengthIndex] = code;
+        m_atoms[m_indexes[lengthIndex]] = whitespaceAtom;
         return whitespaceAtom;
     }
 
     AtomString whitespaceAtom(string);
-    m_codes[length] = code;
-    m_indexes[length] = m_atoms.size();
+    m_codes[lengthIndex] = code;
+    m_indexes[lengthIndex] = m_atoms.size();
     m_atoms.append(whitespaceAtom);
     return whitespaceAtom;
 }

Modified: branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.h (281018 => 281019)


--- branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.h	2021-08-13 15:30:09 UTC (rev 281018)
+++ branches/safari-612.1.28-branch/Source/WebCore/html/parser/HTMLConstructionSite.h	2021-08-13 15:38:40 UTC (rev 281019)
@@ -238,7 +238,9 @@
     constexpr static size_t maximumCachedStringLength = 128;
 
     // Parallel arrays storing a 64 bit code and an index into m_atoms for the
-    // most recently atomized whitespace-only string of a given length.
+    // most recently atomized whitespace-only string of a given length. The
+    // indices into these two arrays are the string length minus 1, so the code
+    // for a whitespace-only string of length 2 is stored at m_codes[1], etc.
     uint64_t m_codes[maximumCachedStringLength] { 0 };
     uint8_t m_indexes[maximumCachedStringLength] { 0 };
 
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to