[webkit-changes] [133610] trunk

[commit-queue]

Title: [133610] trunk

Revision

133610

Author

commit-qu...@webkit.org

Date

2012-11-06 07:54:05 -0800 (Tue, 06 Nov 2012)

Log Message

Heap-buffer-overflow in WebCore::TextTrackCueList::add
https://bugs.webkit.org/show_bug.cgi?id=101018

Patch by Aaron Colwell <acolw...@chromium.org> on 2012-11-06
Reviewed by Eric Carlson.

Source/WebCore:

Added an extra check to avoid using a negative array index when a cue
is added to the beginning of the list.

Test case added to LayoutTests/media/track/track-add-remove-cue.html.

* html/track/TextTrackCueList.cpp:
(WebCore::TextTrackCueList::add):

LayoutTests:

Added a test case to verify that adding a cue to the beginning of a non-empty list doesn't crash.

* media/track/track-add-remove-cue-expected.txt:
* media/track/track-add-remove-cue.html:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/media/track/track-add-remove-cue-expected.txt
• trunk/LayoutTests/media/track/track-add-remove-cue.html
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/html/track/TextTrackCueList.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (133609 => 133610)

--- trunk/LayoutTests/ChangeLog	2012-11-06 15:42:48 UTC (rev 133609)
+++ trunk/LayoutTests/ChangeLog	2012-11-06 15:54:05 UTC (rev 133610)
@@ -1,5 +1,17 @@
 2012-11-06  Aaron Colwell  <acolw...@chromium.org>
 
+        Heap-buffer-overflow in WebCore::TextTrackCueList::add
+        https://bugs.webkit.org/show_bug.cgi?id=101018
+
+        Reviewed by Eric Carlson.
+
+        Added a test case to verify that adding a cue to the beginning of a non-empty list doesn't crash.
+
+        * media/track/track-add-remove-cue-expected.txt:
+        * media/track/track-add-remove-cue.html:
+
+2012-11-06  Aaron Colwell  <acolw...@chromium.org>
+
         Regression(r132681): Heap-use-after-free in WebCore::RenderTextTrackCue::layout
         https://bugs.webkit.org/show_bug.cgi?id=100981
 

Modified: trunk/LayoutTests/media/track/track-add-remove-cue-expected.txt (133609 => 133610)

--- trunk/LayoutTests/media/track/track-add-remove-cue-expected.txt	2012-11-06 15:42:48 UTC (rev 133609)
+++ trunk/LayoutTests/media/track/track-add-remove-cue-expected.txt	2012-11-06 15:54:05 UTC (rev 133610)
@@ -71,5 +71,13 @@
 
 *** Try to remove the cue again.
 TEST(testTrack.track.removeCue(textCue)) THROWS(DOMException.INVALID_STATE_ERR) OK
+
+*** Add a cue before all the existing cues.
+RUN(testTrack.track.addCue(new TextTrackCue(0, 31, 'I am first')))
+EXPECTED (cues[0].startTime == '0') OK
+EXPECTED (cues[0].endTime == '31') OK
+EXPECTED (cues[1].startTime == '0') OK
+EXPECTED (cues[1].endTime == '30.5') OK
+EXPECTED (cues[2].startTime == '31') OK
 END OF TEST
 

Modified: trunk/LayoutTests/media/track/track-add-remove-cue.html (133609 => 133610)

--- trunk/LayoutTests/media/track/track-add-remove-cue.html	2012-11-06 15:42:48 UTC (rev 133609)
+++ trunk/LayoutTests/media/track/track-add-remove-cue.html	2012-11-06 15:54:05 UTC (rev 133610)
@@ -87,6 +87,13 @@
                 consoleWrite("<br>*** Try to remove the cue again.");
                 testException("testTrack.track.removeCue(textCue)", "DOMException.INVALID_STATE_ERR");
 
+                consoleWrite("<br>*** Add a cue before all the existing cues.");
+                run("testTrack.track.addCue(new TextTrackCue(0, 31, 'I am first'))");
+                testExpected("cues[0].startTime", 0);
+                testExpected("cues[0].endTime", 31);
+                testExpected("cues[1].startTime", 0);
+                testExpected("cues[1].endTime", 30.5);
+                testExpected("cues[2].startTime", 31);
                 endTest();
             }
 

Modified: trunk/Source/WebCore/ChangeLog (133609 => 133610)

--- trunk/Source/WebCore/ChangeLog	2012-11-06 15:42:48 UTC (rev 133609)
+++ trunk/Source/WebCore/ChangeLog	2012-11-06 15:54:05 UTC (rev 133610)
@@ -1,5 +1,20 @@
 2012-11-06  Aaron Colwell  <acolw...@chromium.org>
 
+        Heap-buffer-overflow in WebCore::TextTrackCueList::add
+        https://bugs.webkit.org/show_bug.cgi?id=101018
+
+        Reviewed by Eric Carlson.
+
+        Added an extra check to avoid using a negative array index when a cue
+        is added to the beginning of the list.
+
+        Test case added to LayoutTests/media/track/track-add-remove-cue.html.
+
+        * html/track/TextTrackCueList.cpp:
+        (WebCore::TextTrackCueList::add):
+
+2012-11-06  Aaron Colwell  <acolw...@chromium.org>
+
         Regression(r132681): Heap-use-after-free in WebCore::RenderTextTrackCue::layout
         https://bugs.webkit.org/show_bug.cgi?id=100981
 

Modified: trunk/Source/WebCore/html/track/TextTrackCueList.cpp (133609 => 133610)

--- trunk/Source/WebCore/html/track/TextTrackCueList.cpp	2012-11-06 15:42:48 UTC (rev 133609)
+++ trunk/Source/WebCore/html/track/TextTrackCueList.cpp	2012-11-06 15:54:05 UTC (rev 133610)
@@ -92,12 +92,12 @@
     // http://www.whatwg.org/specs/web-apps/current-work/#text-track-cue-order
     RefPtr<TextTrackCue> cue = prpCue;
     if (start == end) {
-        if (!m_list.isEmpty() && (m_list[start - 1].get() == cue.get()))
+        if (!m_list.isEmpty() && (start > 0) && (m_list[start - 1].get() == cue.get()))
             return false;
 
-       m_list.insert(start, cue);
-       invalidateCueIndexes(start);
-       return true;
+        m_list.insert(start, cue);
+        invalidateCueIndexes(start);
+        return true;
     }
 
     size_t index = (start + end) / 2;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes