[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

[commit-queue at webkit.org]

The following commit has been merged in the debian/experimental branch:
commit bfe8ef67101a9955f640fa23f9ca4c9d08ccae82
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Oct 13 19:21:48 2010 +0000

    2010-10-13  Yong Li  <yoli at rim.com>
    
            Reviewed by Oliver Hunt.
    
            Fix potential misaligned memory access in CloneDeserializer::readLittleEndian and readString
            that can result crash on ARM (<v6).
            https://bugs.webkit.org/show_bug.cgi?id=47594
    
            No new test added, because the crash can be produced by existing tests like:
            LayoutTests/fast/events/message-channel-gc-4.html
    
            * bindings/js/SerializedScriptValue.cpp:
            (WebCore::CloneDeserializer::readLittleEndian):
            (WebCore::CloneDeserializer::readString):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69682 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 1a1e6e5..fc671fd 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-10-13  Yong Li  <yoli at rim.com>
+
+        Reviewed by Oliver Hunt.
+
+        Fix potential misaligned memory access in CloneDeserializer::readLittleEndian and readString
+        that can result crash on ARM (<v6).
+        https://bugs.webkit.org/show_bug.cgi?id=47594
+
+        No new test added, because the crash can be produced by existing tests like:
+        LayoutTests/fast/events/message-channel-gc-4.html
+
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneDeserializer::readLittleEndian):
+        (WebCore::CloneDeserializer::readString):
+
 2010-10-06  Martin Robinson  <mrobinson at igalia.com>
 
         Reviewed by Dirk Schulze.
diff --git a/WebCore/bindings/js/SerializedScriptValue.cpp b/WebCore/bindings/js/SerializedScriptValue.cpp
index 8ccaf9c..1711687 100644
--- a/WebCore/bindings/js/SerializedScriptValue.cpp
+++ b/WebCore/bindings/js/SerializedScriptValue.cpp
@@ -819,7 +819,12 @@ private:
         if (sizeof(T) == 1)
             value = *ptr++;
         else {
-            value = *reinterpret_cast_ptr<const T*>(ptr);
+#if CPU(ARMV5_OR_LOWER)
+            // To protect misaligned memory access.
+            memcpy(&value, ptr, sizeof(T));
+#else
+            value = *reinterpret_cast<const T*>(ptr);
+#endif
             ptr += sizeof(T);
         }
         return true;
@@ -907,7 +912,14 @@ private:
             return false;
 
 #if ASSUME_LITTLE_ENDIAN
-        str = UString(reinterpret_cast_ptr<const UChar*>(ptr), length);
+#if CPU(ARMV5_OR_LOWER)
+        // To protect misaligned memory access.
+        Vector<UChar> alignedBuffer(length);
+        memcpy(alignedBuffer.data(), ptr, length * sizeof(UChar));
+        str = UString::adopt(alignedBuffer);
+#else
+        str = UString(reinterpret_cast<const UChar*>(ptr), length);
+#endif
         ptr += length * sizeof(UChar);
 #else
         Vector<UChar> buffer;

-- 
WebKit Debian packaging