Fix defective size_t overflow in GestureTapHighlighter.
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Mar 2012 20:55:48 +0000 (20:55 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Mar 2012 20:55:48 +0000 (20:55 +0000)
commitd7a1d9f96fe5d22f832a31ce7bd352e9eb9f8f11
tree682f1aaeae7b9e7b09c0d0ab0345046b44772e7b
parent3173a3b8f3d581508cbb7bcb607dbf683540aa19
Fix defective size_t overflow in GestureTapHighlighter.
https://bugs.webkit.org/show_bug.cgi?id=82605

Patch by Zalan Bujtas <zbujtas@gmail.com> on 2012-03-30
Reviewed by Kenneth Rohde Christiansen.

.:

* ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html: Added.

Source/WebCore:

In pathForRenderer, the for loop has 'i < rects().size() - 1' as test expression,
where rects().size() returns with size_t.
In case of empty rect, it leads to unsigned int overflow. Overflow value makes
the associated for loop run with invalid values.
Fix it by making loop variable int and stop using size_t type in the test expression.
Also, return early, if no focus ring found.

Manual test added. Tap gesture highlighter is getting triggered by UI process.

* page/GestureTapHighlighter.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@112723 268f45cc-cd09-0410-ab3c-d52691b4dbfc
ChangeLog
ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/GestureTapHighlighter.cpp