Title: [134512] branches/safari-536.28-branch
- Revision
- 134512
- Author
- [email protected]
- Date
- 2012-11-13 17:11:05 -0800 (Tue, 13 Nov 2012)
Log Message
Merged r127508. <rdar://problem/12536493>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (134511 => 134512)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-14 01:10:35 UTC (rev 134511)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-14 01:11:05 UTC (rev 134512)
@@ -1,5 +1,21 @@
2012-11-13 Lucas Forschler <[email protected]>
+ Merge r127508
+
+ 2012-09-04 Michael Saboff <[email protected]>
+
+ equal() in CSSParser.cpp should check the length of characters
+ https://bugs.webkit.org/show_bug.cgi?id=95706
+
+ Added test from duplicate defect https://bugs.webkit.org/show_bug.cgi?id=95634.
+
+ Reviewed by Abhishek Arya.
+
+ * fast/css/crash-comparing-equal-expected.txt: Added.
+ * fast/css/crash-comparing-equal.html: Added.
+
+2012-11-13 Lucas Forschler <[email protected]>
+
Merge r125280
2012-08-10 Jon Lee <[email protected]>
@@ -11434,3 +11450,4 @@
.
.
.
+.
Copied: branches/safari-536.28-branch/LayoutTests/fast/css/crash-comparing-equal-expected.txt (from rev 127508, trunk/LayoutTests/fast/css/crash-comparing-equal-expected.txt) (0 => 134512)
--- branches/safari-536.28-branch/LayoutTests/fast/css/crash-comparing-equal-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/css/crash-comparing-equal-expected.txt 2012-11-14 01:11:05 UTC (rev 134512)
@@ -0,0 +1 @@
+This page shouldn't crash when parsing CSS - Bug 95706.
Copied: branches/safari-536.28-branch/LayoutTests/fast/css/crash-comparing-equal.html (from rev 127508, trunk/LayoutTests/fast/css/crash-comparing-equal.html) (0 => 134512)
--- branches/safari-536.28-branch/LayoutTests/fast/css/crash-comparing-equal.html (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/css/crash-comparing-equal.html 2012-11-14 01:11:05 UTC (rev 134512)
@@ -0,0 +1,15 @@
+<html>
+<head>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ </script>
+ <style>
+ #parent {
+ font: 20px/1 ahem;
+ </style>
+</head>
+<body>
+This page shouldn't crash when parsing CSS - Bug 95706.
+</body>
+</html>
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (134511 => 134512)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-14 01:10:35 UTC (rev 134511)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-14 01:11:05 UTC (rev 134512)
@@ -1,5 +1,26 @@
2012-11-13 Lucas Forschler <[email protected]>
+ Merge r127508
+
+ 2012-09-04 Michael Saboff <[email protected]>
+
+ equal() in CSSParser.cpp should check the length of characters
+ https://bugs.webkit.org/show_bug.cgi?id=95706
+
+ Reviewed by Abhishek Arya.
+
+ Pass the length of string literals to CSSParser static functions equal() and
+ equalIgnoringCase() so that checks won't access out of bounds memory.
+
+ Added test fast/css/crash-comparing-equal.html.
+
+ * css/CSSParser.cpp:
+ (WebCore::equal): Use template to retrieve the length of string literal.
+ (WebCore::equalIgnoringCase): Ditto.
+ (WebCore::CSSParser::parseDashboardRegions): Use const char[] instead of const char*
+
+2012-11-13 Lucas Forschler <[email protected]>
+
Merge r123433
2012-07-24 Kentaro Hara <[email protected]>
@@ -207512,3 +207533,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/css/CSSParser.cpp (134511 => 134512)
--- branches/safari-536.28-branch/Source/WebCore/css/CSSParser.cpp 2012-11-14 01:10:35 UTC (rev 134511)
+++ branches/safari-536.28-branch/Source/WebCore/css/CSSParser.cpp 2012-11-14 01:11:05 UTC (rev 134512)
@@ -84,6 +84,7 @@
#include <wtf/dtoa.h>
#include <wtf/text/StringBuffer.h>
#include <wtf/text/StringBuilder.h>
+#include <wtf/text/StringImpl.h>
#if ENABLE(CSS_IMAGE_SET)
#include "CSSImageSetValue.h"
@@ -144,29 +145,26 @@
static const unsigned INVALID_NUM_PARSED_PROPERTIES = UINT_MAX;
static const double MAX_SCALE = 1000000;
-static bool equal(const CSSParserString& a, const char* b)
+template <unsigned N>
+static bool equal(const CSSParserString& a, const char (&b)[N])
{
- for (int i = 0; i < a.length; ++i) {
- if (!b[i])
- return false;
- if (a.characters[i] != b[i])
- return false;
- }
- return !b[a.length];
+ const int length = N - 1; // Ignore the trailing null character
+ if (a.length != length)
+ return false;
+
+ return WTF::equal(a.characters, reinterpret_cast<const LChar*>(b), length);
}
-static bool equalIgnoringCase(const CSSParserString& a, const char* b)
+template <unsigned N>
+static bool equalIgnoringCase(const CSSParserString& a, const char (&b)[N])
{
- for (int i = 0; i < a.length; ++i) {
- if (!b[i])
- return false;
- ASSERT(!isASCIIUpper(b[i]));
- if (toASCIILower(a.characters[i]) != b[i])
- return false;
- }
- return !b[a.length];
-}
+ const int length = N - 1; // Ignore the trailing null character
+ if (a.length != length)
+ return false;
+ return WTF::equalIgnoringCase(b, a.characters, length);
+}
+
static bool hasPrefix(const char* string, unsigned length, const char* prefix)
{
for (unsigned i = 0; i < length; ++i) {
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
