Google Git
Sign in
webkit / WebKit / f3f52cd3f3e8196531cb24e82422b07873906a58
commitf3f52cd3f3e8196531cb24e82422b07873906a58[log] [tgz]
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Mar 30 20:55:48 2012 +0000
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Mar 30 20:55:48 2012 +0000
tree682f1aaeae7b9e7b09c0d0ab0345046b44772e7b
parenta0c4422a9704e9d8ee5ff3ba259f7678cba44d32 [diff]
Fix defective size_t overflow in GestureTapHighlighter.
https://bugs.webkit.org/show_bug.cgi?id=82605

Patch by Zalan Bujtas <zbujtas@gmail.com> on 2012-03-30
Reviewed by Kenneth Rohde Christiansen.

.:

* ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html: Added.

Source/WebCore:

In pathForRenderer, the for loop has 'i < rects().size() - 1' as test expression,
where rects().size() returns with size_t.
In case of empty rect, it leads to unsigned int overflow. Overflow value makes
the associated for loop run with invalid values.
Fix it by making loop variable int and stop using size_t type in the test expression.
Also, return early, if no focus ring found.

Manual test added. Tap gesture highlighter is getting triggered by UI process.

* page/GestureTapHighlighter.cpp:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@112723 268f45cc-cd09-0410-ab3c-d52691b4dbfc
4 files changed
tree: 682f1aaeae7b9e7b09c0d0ab0345046b44772e7b
  1. Examples/
  2. LayoutTests/
  3. ManualTests/
  4. PerformanceTests/
  5. Source/
  6. Tools/
  7. WebKitLibraries/
  8. Websites/
  9. .dir-locals.el
  10. .gitattributes
  11. .gitignore
  12. autogen.sh
  13. ChangeLog
  14. CMakeLists.txt
  15. configure.ac
  16. GNUmakefile.am
  17. Makefile
  18. Makefile.shared
  19. WebKit.pro
  20. wscript