Google Git
Sign in
webkit / WebKit / 1043572fe24ff7434f510205ed945dc13b6df366^! / .
commit1043572fe24ff7434f510205ed945dc13b6df366[log] [tgz]
authormmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Nov 25 19:04:03 2015 +0000
committermmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Nov 25 19:04:03 2015 +0000
tree687be0184b71c033bfcf3c3793b9b84d7ba83109
parent10b1ba04b953d1db1ded0a690a93277dbe511175 [diff]
Checks for buffer-overflows when reading characters from textRun
https://bugs.webkit.org/show_bug.cgi?id=151055
<rdar://problem/23251789>

Patch by Pranjal Jumde <pjumde@apple.com> on 2015-11-25
Reviewed by Myles C. Maxfield.

Source/WebCore:

Prevents an off by one error when adding the last font data to the GlyphBuffer.

* Source/WebCore/platform/graphics/WidthIterator.cpp:
* Source/WebCore/platform/graphics/FontCascade.cpp:

LayoutTests:

* dom/html/level1/core/151055_asan.html:
* dom/html/level1/core/151055_asan-expected.txt:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@192770 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 11a28c3..3300884 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog

@@ -1,3 +1,14 @@
+2015-11-25  Pranjal Jumde  <pjumde@apple.com>
+
+        Checks for buffer-overflows when reading characters from textRun
+        https://bugs.webkit.org/show_bug.cgi?id=151055
+        <rdar://problem/23251789>
+
+        Reviewed by Myles C. Maxfield.
+
+        * dom/html/level1/core/151055_asan.html:
+        * dom/html/level1/core/151055_asan-expected.txt:
+
 2015-11-24  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r192536, r192722, and r192743.

diff --git a/LayoutTests/dom/html/level1/core/151055_asan-expected.txt b/LayoutTests/dom/html/level1/core/151055_asan-expected.txt
new file mode 100644
index 0000000..8ec5713
--- /dev/null
+++ b/LayoutTests/dom/html/level1/core/151055_asan-expected.txt

@@ -0,0 +1 @@
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055 

diff --git a/LayoutTests/dom/html/level1/core/151055_asan.html b/LayoutTests/dom/html/level1/core/151055_asan.html
new file mode 100644
index 0000000..301d8c3
--- /dev/null
+++ b/LayoutTests/dom/html/level1/core/151055_asan.html

@@ -0,0 +1,19 @@
+<style>
+    div {
+        width: 200px;
+        text-decoration: underline;
+    }
+</style>
+<div id="webtest8" style="direction: rtl; text-align: justify;">
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055
+</div>
+
+<script>
+   if (window.testRunner)
+       testRunner.dumpAsText();
+   
+   var webtest8 = document.getElementById("webtest8")
+
+   webtest8.appendChild(document.createElement("image"));
+   webtest8.appendChild(document.createElement("textarea"));
+</script>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 4703b6f8..195f601 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog

@@ -1,3 +1,16 @@
+2015-11-25  Pranjal Jumde  <pjumde@apple.com>
+
+        Checks for buffer-overflows when reading characters from textRun
+        https://bugs.webkit.org/show_bug.cgi?id=151055
+        <rdar://problem/23251789>
+
+        Reviewed by Myles C. Maxfield.
+
+        Prevents an off by one error when adding the last font data to the GlyphBuffer.
+
+        * Source/WebCore/platform/graphics/WidthIterator.cpp:
+        * Source/WebCore/platform/graphics/FontCascade.cpp:
+
 2015-11-22  Andy Estes  <aestes@apple.com>
 
         Teach MiniBrowser how to enable the mock content filter

diff --git a/Source/WebCore/platform/graphics/FontCascade.cpp b/Source/WebCore/platform/graphics/FontCascade.cpp
index e5339c4..993a006 100644
--- a/Source/WebCore/platform/graphics/FontCascade.cpp
+++ b/Source/WebCore/platform/graphics/FontCascade.cpp

@@ -1154,6 +1154,7 @@
 
     if (offsetInString == GlyphBuffer::noOffset || offsetInString >= textRun.length()) {
         // We have no idea which character spawned this glyph. Bail.
+        ASSERT_WITH_SECURITY_IMPLICATION(offsetInString < textRun.length());
         return GlyphToPathTranslator::GlyphUnderlineType::DrawOverGlyph;
     }
     

diff --git a/Source/WebCore/platform/graphics/WidthIterator.cpp b/Source/WebCore/platform/graphics/WidthIterator.cpp
index 83d7d12..1e4c33e 100644
--- a/Source/WebCore/platform/graphics/WidthIterator.cpp
+++ b/Source/WebCore/platform/graphics/WidthIterator.cpp

@@ -400,9 +400,9 @@
 
     if (leftoverJustificationWidth) {
         if (m_forTextEmphasis)
-            glyphBuffer->add(lastFontData->zeroWidthSpaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length());
+            glyphBuffer->add(lastFontData->zeroWidthSpaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length() - 1);
         else
-            glyphBuffer->add(lastFontData->spaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length());
+            glyphBuffer->add(lastFontData->spaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length() - 1);
     }
 
     auto transformsType = shouldApplyFontTransforms(glyphBuffer, lastGlyphCount, previousCharacter);