Modified: trunk/LayoutTests/ChangeLog (127507 => 127508)
--- trunk/LayoutTests/ChangeLog 2012-09-04 21:23:01 UTC (rev 127507)
+++ trunk/LayoutTests/ChangeLog 2012-09-04 21:32:19 UTC (rev 127508)
@@ -1,3 +1,15 @@
+2012-09-04 Michael Saboff <msab...@apple.com>
+
+ equal() in CSSParser.cpp should check the length of characters
+ https://bugs.webkit.org/show_bug.cgi?id=95706
+
+ Added test from duplicate defect https://bugs.webkit.org/show_bug.cgi?id=95634.
+
+ Reviewed by Abhishek Arya.
+
+ * fast/css/crash-comparing-equal-expected.txt: Added.
+ * fast/css/crash-comparing-equal.html: Added.
+
2012-09-04 Roger Fong <roger_f...@apple.com>
Unreviewed gardening. meda/video-controls-captions.html fails on Windows after it was introduced in http://trac.webkit.org/changeset/127035.
Added: trunk/LayoutTests/fast/css/crash-comparing-equal-expected.txt (0 => 127508)
--- trunk/LayoutTests/fast/css/crash-comparing-equal-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/crash-comparing-equal-expected.txt 2012-09-04 21:32:19 UTC (rev 127508)
@@ -0,0 +1 @@
+This page shouldn't crash when parsing CSS - Bug 95706.
Added: trunk/LayoutTests/fast/css/crash-comparing-equal.html (0 => 127508)
--- trunk/LayoutTests/fast/css/crash-comparing-equal.html (rev 0)
+++ trunk/LayoutTests/fast/css/crash-comparing-equal.html 2012-09-04 21:32:19 UTC (rev 127508)
@@ -0,0 +1,15 @@
+<html>
+<head>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ </script>
+ <style>
+ #parent {
+ font: 20px/1 ahem;
+ </style>
+</head>
+<body>
+This page shouldn't crash when parsing CSS - Bug 95706.
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (127507 => 127508)
--- trunk/Source/WebCore/ChangeLog 2012-09-04 21:23:01 UTC (rev 127507)
+++ trunk/Source/WebCore/ChangeLog 2012-09-04 21:32:19 UTC (rev 127508)
@@ -1,3 +1,20 @@
+2012-09-04 Michael Saboff <msab...@apple.com>
+
+ equal() in CSSParser.cpp should check the length of characters
+ https://bugs.webkit.org/show_bug.cgi?id=95706
+
+ Reviewed by Abhishek Arya.
+
+ Pass the length of string literals to CSSParser static functions equal() and
+ equalIgnoringCase() so that checks won't access out of bounds memory.
+
+ Added test fast/css/crash-comparing-equal.html.
+
+ * css/CSSParser.cpp:
+ (WebCore::equal): Use template to retrieve the length of string literal.
+ (WebCore::equalIgnoringCase): Ditto.
+ (WebCore::CSSParser::parseDashboardRegions): Use const char[] instead of const char*
+
2012-09-04 Antonio Gomes <ago...@rim.com>
[BlackBerry] Use child/ScrollableContent layer's position instead of parent/ScrollLayer's boundsOrigin
Modified: trunk/Source/WebCore/css/CSSParser.cpp (127507 => 127508)
--- trunk/Source/WebCore/css/CSSParser.cpp 2012-09-04 21:23:01 UTC (rev 127507)
+++ trunk/Source/WebCore/css/CSSParser.cpp 2012-09-04 21:32:19 UTC (rev 127508)
@@ -156,14 +156,24 @@
static const unsigned INVALID_NUM_PARSED_PROPERTIES = UINT_MAX;
static const double MAX_SCALE = 1000000;
-static bool equal(const CSSParserString& a, const char* b)
+template <unsigned N>
+static bool equal(const CSSParserString& a, const char (&b)[N])
{
- return a.is8Bit() ? WTF::equal(a.characters8(), reinterpret_cast<const LChar*>(b), a.length()) : WTF::equal(a.characters16(), reinterpret_cast<const LChar*>(b), a.length());
+ unsigned length = N - 1; // Ignore the trailing null character
+ if (a.length() != length)
+ return false;
+
+ return a.is8Bit() ? WTF::equal(a.characters8(), reinterpret_cast<const LChar*>(b), length) : WTF::equal(a.characters16(), reinterpret_cast<const LChar*>(b), length);
}
-static bool equalIgnoringCase(const CSSParserString& a, const char* b)
+template <unsigned N>
+static bool equalIgnoringCase(const CSSParserString& a, const char (&b)[N])
{
- return a.is8Bit() ? WTF::equalIgnoringCase(b, a.characters8(), a.length()) : WTF::equalIgnoringCase(b, a.characters16(), a.length());
+ unsigned length = N - 1; // Ignore the trailing null character
+ if (a.length() != length)
+ return false;
+
+ return a.is8Bit() ? WTF::equalIgnoringCase(b, a.characters8(), length) : WTF::equalIgnoringCase(b, a.characters16(), length);
}
static bool hasPrefix(const char* string, unsigned length, const char* prefix)
@@ -4333,7 +4343,7 @@
}
bool validFunctionName = false;
#if ENABLE(DASHBOARD_SUPPORT)
- static const char* const dashboardRegionFunctionName = "dashboard-region(";
+ static const char dashboardRegionFunctionName[] = "dashboard-region(";
if (equalIgnoringCase(value->function->name, dashboardRegionFunctionName)) {
validFunctionName = true;
#if ENABLE(DASHBOARD_SUPPORT) && ENABLE(WIDGET_REGION)
@@ -4343,7 +4353,7 @@
}
#endif
#if ENABLE(WIDGET_REGION)
- static const char* const widgetRegionFunctionName = "region(";
+ static const char widgetRegionFunctionName[] = "region(";
if (equalIgnoringCase(value->function->name, widgetRegionFunctionName)) {
validFunctionName = true;
#if ENABLE(DASHBOARD_SUPPORT) && ENABLE(WIDGET_REGION)
