[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

[cevans at google.com]

The following commit has been merged in the debian/experimental branch:
commit e804f3b32cd7986fff2c03f3eb23d7ea3509e088
Author: cevans at google.com <cevans at google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Oct 14 00:21:40 2010 +0000

    2010-10-13  Chris Evans  <cevans at google.com>
    
            Reviewed by Jian Li.
    
            Blob / BlobBuilder can be put into bad state with wild integers and strings, due to integer overflows
            https://bugs.webkit.org/show_bug.cgi?id=47382
    
            Add test for Blob.slice() integer overflow.
    
            * fast/files/blob-slice-overflow.html: Added.
            * fast/files/blob-slice-overflow-expected.txt: Added.
    2010-10-13  Chris Evans  <cevans at google.com>
    
            Reviewed by Jian Li.
    
            Blob / BlobBuilder can be put into bad state with wild integers and strings, due to integer overflows
            https://bugs.webkit.org/show_bug.cgi?id=47382
    
            Fix integer overflow errors in Blob.slice and BlobBuilder.append.
    
            Test: fast/files/blob-slice-overflow.html
    
            * fileapi/Blob.cpp:
            (WebCore::Blob::slice): handle integer overflow properly.
            * fileapi/BlobBuilder.cpp:
            (WebCore::BlobBuilder::append): use correct type for vector length.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69716 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 88d41bb..09d5c98 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-10-13  Chris Evans  <cevans at google.com>
+
+        Reviewed by Jian Li.
+
+        Blob / BlobBuilder can be put into bad state with wild integers and strings, due to integer overflows
+        https://bugs.webkit.org/show_bug.cgi?id=47382
+
+        Add test for Blob.slice() integer overflow.
+
+        * fast/files/blob-slice-overflow.html: Added.
+        * fast/files/blob-slice-overflow-expected.txt: Added.
+
 2010-10-13  James Simonsen  <simonjam at chromium.org>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/files/blob-slice-overflow-expected.txt b/LayoutTests/fast/files/blob-slice-overflow-expected.txt
new file mode 100644
index 0000000..66a3f09
--- /dev/null
+++ b/LayoutTests/fast/files/blob-slice-overflow-expected.txt
@@ -0,0 +1,2 @@
+The excessive length passed to Blob.slice() should be trapped and result in a truncated slice being returned.
+Blob slice length: 1
diff --git a/LayoutTests/fast/files/blob-slice-overflow.html b/LayoutTests/fast/files/blob-slice-overflow.html
new file mode 100644
index 0000000..d970d4a
--- /dev/null
+++ b/LayoutTests/fast/files/blob-slice-overflow.html
@@ -0,0 +1,26 @@
+<html>
+<body>
+The excessive length passed to Blob.slice() should be trapped and result in
+a truncated slice being returned.
+<pre id='console'></pre>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.waitUntilDone()
+}
+var builder =  new BlobBuilder();
+var text = '';
+for (var i = 0; i < 2000; ++i) text += 'A';
+builder.append(text);
+blob = builder.getBlob();
+slicedBlob = blob.slice(1999, 9223372036854775000);
+document.getElementById('console').appendChild(document.createTextNode('Blob slice length: ' + slicedBlob.size));
+if (slicedBlob.size != 1) {
+  document.getElementById('console').appendChild(document.createTextNode('FAIL'));
+}
+if (window.layoutTestController) {
+  layoutTestController.notifyDone();
+}
+</script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 5d5ec01..f9a07f1 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2010-10-13  Chris Evans  <cevans at google.com>
+
+        Reviewed by Jian Li.
+
+        Blob / BlobBuilder can be put into bad state with wild integers and strings, due to integer overflows
+        https://bugs.webkit.org/show_bug.cgi?id=47382
+
+        Fix integer overflow errors in Blob.slice and BlobBuilder.append.
+
+        Test: fast/files/blob-slice-overflow.html
+
+        * fileapi/Blob.cpp:
+        (WebCore::Blob::slice): handle integer overflow properly.
+        * fileapi/BlobBuilder.cpp:
+        (WebCore::BlobBuilder::append): use correct type for vector length.
+
 2010-10-13  Gavin Barraclough  <barraclough at apple.com>
 
         Build fix - remove some redundant references to ScriptString.
diff --git a/WebCore/fileapi/Blob.cpp b/WebCore/fileapi/Blob.cpp
index d5a5602..90df3c4 100644
--- a/WebCore/fileapi/Blob.cpp
+++ b/WebCore/fileapi/Blob.cpp
@@ -86,7 +86,7 @@ PassRefPtr<Blob> Blob::slice(long long start, long long length, const String& co
     if (start >= size) {
         start = 0;
         length = 0;
-    } else if (start + length > size)
+    } else if (start + length > size || length > std::numeric_limits<long long>::max() - start)
         length = size - start;
 
     OwnPtr<BlobData> blobData = BlobData::create();
diff --git a/WebCore/fileapi/BlobBuilder.cpp b/WebCore/fileapi/BlobBuilder.cpp
index a83726f..69443a5 100644
--- a/WebCore/fileapi/BlobBuilder.cpp
+++ b/WebCore/fileapi/BlobBuilder.cpp
@@ -63,7 +63,7 @@ bool BlobBuilder::append(const String& text, const String& endingType, Exception
 
     if (!utf8Text.isNull()) {
         Vector<char>& buffer = *m_items[m_items.size() - 1].data->mutableData();
-        unsigned oldSize = buffer.size();
+        size_t oldSize = buffer.size();
 
         if (isEndingTypeNative)
             normalizeLineEndingsToNative(utf8Text, buffer);

-- 
WebKit Debian packaging