[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da

jianli at chromium.org jianli at chromium.org
Wed Dec 22 17:56:20 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit ea89ec7d87add47a0ed94fbcff3c881db04d90e4
Author: jianli at chromium.org <jianli at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Dec 2 23:39:41 2010 +0000

    Integer calculation issues in DataView constructor
    https://bugs.webkit.org/show_bug.cgi?id=50354
    
    Reviewed by Kenneth Russell.
    
    WebCore:
    
    Test: fast/canvas/webgl/data-view-crash.html
    
    * html/canvas/DataView.cpp:
    (WebCore::DataView::create):
    
    LayoutTests:
    
    * fast/canvas/webgl/data-view-crash-expected.txt: Added.
    * fast/canvas/webgl/data-view-crash.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73208 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index cb1512d..7d9b59e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-12-02  Jian Li  <jianli at chromium.org>
+
+        Reviewed by Kenneth Russell.
+
+        Integer calculation issues in DataView constructor
+        https://bugs.webkit.org/show_bug.cgi?id=50354
+
+        * fast/canvas/webgl/data-view-crash-expected.txt: Added.
+        * fast/canvas/webgl/data-view-crash.html: Added.
+
 2010-12-02  Xiaomei Ji  <xji at chromium.org>
 
         Unreviewed.
diff --git a/LayoutTests/fast/canvas/webgl/data-view-crash-expected.txt b/LayoutTests/fast/canvas/webgl/data-view-crash-expected.txt
new file mode 100644
index 0000000..acf20c4
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/data-view-crash-expected.txt
@@ -0,0 +1,10 @@
+Test that DataView does not crash with bad offset or length.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS view = new DataView(array.buffer, -4500000000) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS view = new DataView(array.buffer, -4500000000, 4500000000) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/canvas/webgl/data-view-crash.html b/LayoutTests/fast/canvas/webgl/data-view-crash.html
new file mode 100644
index 0000000..8cd0d26
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/data-view-crash.html
@@ -0,0 +1,24 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css"/>
+<script src="../../js/resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script>
+description("Test that DataView does not crash with bad offset or length.");
+
+var array = new Uint8Array([164, 112, 157, 63]);
+var view;
+shouldThrow("view = new DataView(array.buffer, -4500000000)");
+shouldThrow("view = new DataView(array.buffer, -4500000000, 4500000000)");
+var value = view ? view.getFloat32(0, true) : 0;
+
+successfullyParsed = true;
+</script>
+
+<script src="../../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 17d9dff..cd2b50d 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2010-12-02  Jian Li  <jianli at chromium.org>
+
+        Reviewed by Kenneth Russell.
+
+        Integer calculation issues in DataView constructor
+        https://bugs.webkit.org/show_bug.cgi?id=50354
+
+        Test: fast/canvas/webgl/data-view-crash.html
+
+        * html/canvas/DataView.cpp:
+        (WebCore::DataView::create):
+
 2010-12-02  Patrick Gansterer  <paroga at webkit.org>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/html/canvas/DataView.cpp b/WebCore/html/canvas/DataView.cpp
index d030211..dbf56ff 100755
--- a/WebCore/html/canvas/DataView.cpp
+++ b/WebCore/html/canvas/DataView.cpp
@@ -29,6 +29,8 @@
 
 #include "DataView.h"
 
+#include "CheckedInt.h"
+
 namespace {
 
 template<typename T>
@@ -43,7 +45,12 @@ namespace WebCore {
 
 PassRefPtr<DataView> DataView::create(PassRefPtr<ArrayBuffer> buffer, unsigned byteOffset, unsigned byteLength)
 {
-    if (byteOffset + byteLength > buffer->byteLength())
+    if (byteOffset > buffer->byteLength())
+        return 0;
+    CheckedInt<uint32_t> checkedOffset(byteOffset);
+    CheckedInt<uint32_t> checkedLength(byteLength);
+    CheckedInt<uint32_t> checkedMax = checkedOffset + checkedLength;
+    if (!checkedMax.valid() || checkedMax.value() > buffer->byteLength())
         return 0;
     return adoptRef(new DataView(buffer, byteOffset, byteLength));
 }

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list