Title: [148457] branches/safari-536.30-branch/Source/WebCore
- Revision
- 148457
- Author
- roger_f...@apple.com
- Date
- 2013-04-15 12:39:01 -0700 (Mon, 15 Apr 2013)
Log Message
Merge r138213, <rdar://problem/13335063>
Modified Paths
Diff
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148456 => 148457)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-15 19:32:45 UTC (rev 148456)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-15 19:39:01 UTC (rev 148457)
@@ -1,3 +1,24 @@
+2013-04-15 Roger Fong <roger_f...@apple.com>
+
+ Merged r138213.
+
+ 2013-01-09 Abhishek Arya <infe...@chromium.org>
+
+ Mitigate out-of-bounds access in InlineIterator
+ https://bugs.webkit.org/show_bug.cgi?id=104812
+
+ Reviewed by Levi Weintraub.
+
+ Share code between InlineIterator::current and InlineIterator::previousInSameNode,
+ thereby checking for access outside text renderer's length.
+
+ * rendering/InlineIterator.h:
+ (InlineIterator):
+ (WebCore::InlineIterator::characterAt):
+ (WebCore):
+ (WebCore::InlineIterator::current):
+ (WebCore::InlineIterator::previousInSameNode):
+
2012-12-13 Lucas Forschler <lforsch...@apple.com>
Rollout r
Modified: branches/safari-536.30-branch/Source/WebCore/rendering/InlineIterator.h (148456 => 148457)
--- branches/safari-536.30-branch/Source/WebCore/rendering/InlineIterator.h 2013-04-15 19:32:45 UTC (rev 148456)
+++ branches/safari-536.30-branch/Source/WebCore/rendering/InlineIterator.h 2013-04-15 19:39:01 UTC (rev 148457)
@@ -85,6 +85,7 @@
return (m_obj && m_obj->isBR()) || atTextParagraphSeparator();
}
+ UChar characterAt(unsigned) const;
UChar current() const;
UChar previousInSameNode() const;
ALWAYS_INLINE WTF::Unicode::Direction direction() const;
@@ -350,25 +351,29 @@
return !m_obj;
}
-inline UChar InlineIterator::current() const
+inline UChar InlineIterator::characterAt(unsigned index) const
{
if (!m_obj || !m_obj->isText())
return 0;
RenderText* text = toRenderText(m_obj);
- if (m_pos >= text->textLength())
+ if (index >= text->textLength())
return 0;
- return text->characters()[m_pos];
+ return text->characters()[index];
}
+
+inline UChar InlineIterator::current() const
+{
+ return characterAt(m_pos);
+}
inline UChar InlineIterator::previousInSameNode() const
{
- if (!m_obj || !m_obj->isText() || !m_pos)
+ if (!m_pos)
return 0;
-
- RenderText* text = toRenderText(m_obj);
- return text->characters()[m_pos - 1];
+
+ return characterAt(m_pos - 1);
}
ALWAYS_INLINE WTF::Unicode::Direction InlineIterator::direction() const
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
