[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da
jianli at chromium.org
jianli at chromium.org
Wed Dec 22 17:56:20 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit ea89ec7d87add47a0ed94fbcff3c881db04d90e4
Author: jianli at chromium.org <jianli at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Dec 2 23:39:41 2010 +0000
Integer calculation issues in DataView constructor
https://bugs.webkit.org/show_bug.cgi?id=50354
Reviewed by Kenneth Russell.
WebCore:
Test: fast/canvas/webgl/data-view-crash.html
* html/canvas/DataView.cpp:
(WebCore::DataView::create):
LayoutTests:
* fast/canvas/webgl/data-view-crash-expected.txt: Added.
* fast/canvas/webgl/data-view-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73208 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index cb1512d..7d9b59e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-12-02 Jian Li <jianli at chromium.org>
+
+ Reviewed by Kenneth Russell.
+
+ Integer calculation issues in DataView constructor
+ https://bugs.webkit.org/show_bug.cgi?id=50354
+
+ * fast/canvas/webgl/data-view-crash-expected.txt: Added.
+ * fast/canvas/webgl/data-view-crash.html: Added.
+
2010-12-02 Xiaomei Ji <xji at chromium.org>
Unreviewed.
diff --git a/LayoutTests/fast/canvas/webgl/data-view-crash-expected.txt b/LayoutTests/fast/canvas/webgl/data-view-crash-expected.txt
new file mode 100644
index 0000000..acf20c4
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/data-view-crash-expected.txt
@@ -0,0 +1,10 @@
+Test that DataView does not crash with bad offset or length.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS view = new DataView(array.buffer, -4500000000) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS view = new DataView(array.buffer, -4500000000, 4500000000) threw exception Error: INDEX_SIZE_ERR: DOM Exception 1.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/canvas/webgl/data-view-crash.html b/LayoutTests/fast/canvas/webgl/data-view-crash.html
new file mode 100644
index 0000000..8cd0d26
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/data-view-crash.html
@@ -0,0 +1,24 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css"/>
+<script src="../../js/resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script>
+description("Test that DataView does not crash with bad offset or length.");
+
+var array = new Uint8Array([164, 112, 157, 63]);
+var view;
+shouldThrow("view = new DataView(array.buffer, -4500000000)");
+shouldThrow("view = new DataView(array.buffer, -4500000000, 4500000000)");
+var value = view ? view.getFloat32(0, true) : 0;
+
+successfullyParsed = true;
+</script>
+
+<script src="../../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 17d9dff..cd2b50d 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2010-12-02 Jian Li <jianli at chromium.org>
+
+ Reviewed by Kenneth Russell.
+
+ Integer calculation issues in DataView constructor
+ https://bugs.webkit.org/show_bug.cgi?id=50354
+
+ Test: fast/canvas/webgl/data-view-crash.html
+
+ * html/canvas/DataView.cpp:
+ (WebCore::DataView::create):
+
2010-12-02 Patrick Gansterer <paroga at webkit.org>
Reviewed by Darin Adler.
diff --git a/WebCore/html/canvas/DataView.cpp b/WebCore/html/canvas/DataView.cpp
index d030211..dbf56ff 100755
--- a/WebCore/html/canvas/DataView.cpp
+++ b/WebCore/html/canvas/DataView.cpp
@@ -29,6 +29,8 @@
#include "DataView.h"
+#include "CheckedInt.h"
+
namespace {
template<typename T>
@@ -43,7 +45,12 @@ namespace WebCore {
PassRefPtr<DataView> DataView::create(PassRefPtr<ArrayBuffer> buffer, unsigned byteOffset, unsigned byteLength)
{
- if (byteOffset + byteLength > buffer->byteLength())
+ if (byteOffset > buffer->byteLength())
+ return 0;
+ CheckedInt<uint32_t> checkedOffset(byteOffset);
+ CheckedInt<uint32_t> checkedLength(byteLength);
+ CheckedInt<uint32_t> checkedMax = checkedOffset + checkedLength;
+ if (!checkedMax.valid() || checkedMax.value() > buffer->byteLength())
return 0;
return adoptRef(new DataView(buffer, byteOffset, byteLength));
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list