Checks for buffer-overflows when reading characters from textRun
authormmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Nov 2015 19:04:03 +0000 (19:04 +0000)
committermmaxfield@apple.com <mmaxfield@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Nov 2015 19:04:03 +0000 (19:04 +0000)
https://bugs.webkit.org/show_bug.cgi?id=151055
<rdar://problem/23251789>

Patch by Pranjal Jumde <pjumde@apple.com> on 2015-11-25
Reviewed by Myles C. Maxfield.

Source/WebCore:

Prevents an off by one error when adding the last font data to the GlyphBuffer.

* Source/WebCore/platform/graphics/WidthIterator.cpp:
* Source/WebCore/platform/graphics/FontCascade.cpp:

LayoutTests:

* dom/html/level1/core/151055_asan.html:
* dom/html/level1/core/151055_asan-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@192770 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/dom/html/level1/core/151055_asan-expected.txt [new file with mode: 0644]
LayoutTests/dom/html/level1/core/151055_asan.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/FontCascade.cpp
Source/WebCore/platform/graphics/WidthIterator.cpp

index 11a28c3..3300884 100644 (file)
@@ -1,3 +1,14 @@
+2015-11-25  Pranjal Jumde  <pjumde@apple.com>
+
+        Checks for buffer-overflows when reading characters from textRun
+        https://bugs.webkit.org/show_bug.cgi?id=151055
+        <rdar://problem/23251789>
+
+        Reviewed by Myles C. Maxfield.
+
+        * dom/html/level1/core/151055_asan.html:
+        * dom/html/level1/core/151055_asan-expected.txt:
+
 2015-11-24  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r192536, r192722, and r192743.
diff --git a/LayoutTests/dom/html/level1/core/151055_asan-expected.txt b/LayoutTests/dom/html/level1/core/151055_asan-expected.txt
new file mode 100644 (file)
index 0000000..8ec5713
--- /dev/null
@@ -0,0 +1 @@
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055 
diff --git a/LayoutTests/dom/html/level1/core/151055_asan.html b/LayoutTests/dom/html/level1/core/151055_asan.html
new file mode 100644 (file)
index 0000000..301d8c3
--- /dev/null
@@ -0,0 +1,19 @@
+<style>
+    div {
+        width: 200px;
+        text-decoration: underline;
+    }
+</style>
+<div id="webtest8" style="direction: rtl; text-align: justify;">
+This test passes if it doesn't crash. https://bugs.webkit.org/show_bug.cgi?id=151055
+</div>
+
+<script>
+   if (window.testRunner)
+       testRunner.dumpAsText();
+   
+   var webtest8 = document.getElementById("webtest8")
+
+   webtest8.appendChild(document.createElement("image"));
+   webtest8.appendChild(document.createElement("textarea"));
+</script>
index 4703b6f..195f601 100644 (file)
@@ -1,3 +1,16 @@
+2015-11-25  Pranjal Jumde  <pjumde@apple.com>
+
+        Checks for buffer-overflows when reading characters from textRun
+        https://bugs.webkit.org/show_bug.cgi?id=151055
+        <rdar://problem/23251789>
+
+        Reviewed by Myles C. Maxfield.
+
+        Prevents an off by one error when adding the last font data to the GlyphBuffer.
+
+        * Source/WebCore/platform/graphics/WidthIterator.cpp:
+        * Source/WebCore/platform/graphics/FontCascade.cpp:
+
 2015-11-22  Andy Estes  <aestes@apple.com>
 
         Teach MiniBrowser how to enable the mock content filter
index e5339c4..993a006 100644 (file)
@@ -1154,6 +1154,7 @@ GlyphToPathTranslator::GlyphUnderlineType computeUnderlineType(const TextRun& te
 
     if (offsetInString == GlyphBuffer::noOffset || offsetInString >= textRun.length()) {
         // We have no idea which character spawned this glyph. Bail.
+        ASSERT_WITH_SECURITY_IMPLICATION(offsetInString < textRun.length());
         return GlyphToPathTranslator::GlyphUnderlineType::DrawOverGlyph;
     }
     
index 83d7d12..1e4c33e 100644 (file)
@@ -400,9 +400,9 @@ inline unsigned WidthIterator::advanceInternal(TextIterator& textIterator, Glyph
 
     if (leftoverJustificationWidth) {
         if (m_forTextEmphasis)
-            glyphBuffer->add(lastFontData->zeroWidthSpaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length());
+            glyphBuffer->add(lastFontData->zeroWidthSpaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length() - 1);
         else
-            glyphBuffer->add(lastFontData->spaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length());
+            glyphBuffer->add(lastFontData->spaceGlyph(), lastFontData, leftoverJustificationWidth, m_run.length() - 1);
     }
 
     auto transformsType = shouldApplyFontTransforms(glyphBuffer, lastGlyphCount, previousCharacter);