Add ASSERT_WITH_SECURITY_IMPLICATION to detect out of bounds access
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Feb 2013 08:06:45 +0000 (08:06 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Feb 2013 08:06:45 +0000 (08:06 +0000)
https://bugs.webkit.org/show_bug.cgi?id=108981

Reviewed by Eric Seidel.

Source/WebCore:

* Modules/mediastream/RTCStatsResponse.cpp:
(WebCore::RTCStatsResponse::addElement):
(WebCore::RTCStatsResponse::addStatistic):
* Modules/websockets/WebSocketChannel.cpp:
(WebCore::WebSocketChannel::skipBuffer):
* css/CSSCalculationValue.cpp:
(WebCore::CSSCalcExpressionNodeParser::parseValueMultiplicativeExpression):
(WebCore::CSSCalcExpressionNodeParser::parseAdditiveValueExpression):
* css/WebKitCSSTransformValue.cpp:
(WebCore::transformValueToCssString):
* editing/TextIterator.cpp:
(WebCore::SearchBuffer::search):
* html/HTMLElement.cpp:
(WebCore::parseColorStringWithCrazyLegacyRules):
* html/ImageData.cpp:
(WebCore::ImageData::ImageData):
* html/shadow/DateTimeSymbolicFieldElement.cpp:
(WebCore::DateTimeSymbolicFieldElement::DateTimeSymbolicFieldElement):
* html/track/TextTrackCueList.cpp:
(WebCore::TextTrackCueList::add):
* platform/SharedBuffer.cpp:
(WebCore::SharedBuffer::getSomeData):
* platform/SharedBufferChunkReader.cpp:
(WebCore::SharedBufferChunkReader::nextChunk):
* platform/audio/HRTFDatabase.cpp:
(WebCore::HRTFDatabase::getKernelsFromAzimuthElevation):
* platform/graphics/GlyphPageTreeNode.cpp:
(WebCore::GlyphPageTreeNode::initializePage):
* platform/graphics/Region.cpp:
(WebCore::Region::Shape::segments_end):
* platform/graphics/filters/FEComponentTransfer.cpp:
(WebCore::FEComponentTransfer::getValues):
* platform/graphics/filters/FilterEffect.cpp:
(WebCore::FilterEffect::inputEffect):
* platform/text/TextCodecUTF8.cpp:
(WebCore::TextCodecUTF8::decode):
* platform/text/mac/TextCodecMac.cpp:
(WebCore::TextCodecMac::decode):
* rendering/RenderBlockLineLayout.cpp:
(WebCore::RenderBlock::checkFloatsInCleanLine):
* svg/SVGAnimatedTypeAnimator.h:
(WebCore::SVGAnimatedTypeAnimator::executeAction):
* svg/SVGAnimationElement.cpp:
(WebCore::SVGAnimationElement::calculatePercentForSpline):
* svg/animation/SVGSMILElement.cpp:
(WebCore::SVGSMILElement::findInstanceTime):

Source/WebKit/chromium:

* src/AutofillPopupMenuClient.cpp:
(WebKit::AutofillPopupMenuClient::getSuggestion):
(WebKit::AutofillPopupMenuClient::getLabel):
(WebKit::AutofillPopupMenuClient::getIcon):
(WebKit::AutofillPopupMenuClient::removeSuggestionAtIndex):
(WebKit::AutofillPopupMenuClient::valueChanged):
(WebKit::AutofillPopupMenuClient::selectionChanged):
* src/ChromeClientImpl.cpp:
(WebKit::ChromeClientImpl::shouldRunModalDialogDuringPageDismissal):

Source/WTF:

* wtf/BitVector.h:
(WTF::BitVector::quickGet):
(WTF::BitVector::quickSet):
(WTF::BitVector::quickClear):
* wtf/DecimalNumber.h:
(WTF::DecimalNumber::DecimalNumber):
* wtf/SegmentedVector.h:
(WTF::SegmentedVector::ensureSegment):
* wtf/StringPrintStream.cpp:
(WTF::StringPrintStream::vprintf):
* wtf/Vector.h:
(WTF::::insert):
(WTF::::remove):
* wtf/dtoa/utils.h:
(WTF::double_conversion::StringBuilder::SetPosition):
(WTF::double_conversion::StringBuilder::AddSubstring):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@142434 268f45cc-cd09-0410-ab3c-d52691b4dbfc

33 files changed:
Source/WTF/ChangeLog
Source/WTF/wtf/BitVector.h
Source/WTF/wtf/DecimalNumber.h
Source/WTF/wtf/SegmentedVector.h
Source/WTF/wtf/StringPrintStream.cpp
Source/WTF/wtf/Vector.h
Source/WTF/wtf/dtoa/utils.h
Source/WebCore/ChangeLog
Source/WebCore/Modules/mediastream/RTCStatsResponse.cpp
Source/WebCore/Modules/websockets/WebSocketChannel.cpp
Source/WebCore/css/CSSCalculationValue.cpp
Source/WebCore/css/WebKitCSSTransformValue.cpp
Source/WebCore/editing/TextIterator.cpp
Source/WebCore/html/HTMLElement.cpp
Source/WebCore/html/ImageData.cpp
Source/WebCore/html/shadow/DateTimeSymbolicFieldElement.cpp
Source/WebCore/html/track/TextTrackCueList.cpp
Source/WebCore/platform/SharedBuffer.cpp
Source/WebCore/platform/SharedBufferChunkReader.cpp
Source/WebCore/platform/audio/HRTFDatabase.cpp
Source/WebCore/platform/graphics/GlyphPageTreeNode.cpp
Source/WebCore/platform/graphics/Region.cpp
Source/WebCore/platform/graphics/filters/FEComponentTransfer.cpp
Source/WebCore/platform/graphics/filters/FilterEffect.cpp
Source/WebCore/platform/text/TextCodecUTF8.cpp
Source/WebCore/platform/text/mac/TextCodecMac.cpp
Source/WebCore/rendering/RenderBlockLineLayout.cpp
Source/WebCore/svg/SVGAnimatedTypeAnimator.h
Source/WebCore/svg/SVGAnimationElement.cpp
Source/WebCore/svg/animation/SVGSMILElement.cpp
Source/WebKit/chromium/ChangeLog
Source/WebKit/chromium/src/AutofillPopupMenuClient.cpp
Source/WebKit/chromium/src/ChromeClientImpl.cpp

index e6e1796..ac30121 100644 (file)
@@ -1,3 +1,27 @@
+2013-02-11  Abhishek Arya  <inferno@chromium.org>
+
+        Add ASSERT_WITH_SECURITY_IMPLICATION to detect out of bounds access
+        https://bugs.webkit.org/show_bug.cgi?id=108981
+
+        Reviewed by Eric Seidel.
+
+        * wtf/BitVector.h:
+        (WTF::BitVector::quickGet):
+        (WTF::BitVector::quickSet):
+        (WTF::BitVector::quickClear):
+        * wtf/DecimalNumber.h:
+        (WTF::DecimalNumber::DecimalNumber):
+        * wtf/SegmentedVector.h:
+        (WTF::SegmentedVector::ensureSegment):
+        * wtf/StringPrintStream.cpp:
+        (WTF::StringPrintStream::vprintf):
+        * wtf/Vector.h:
+        (WTF::::insert):
+        (WTF::::remove):
+        * wtf/dtoa/utils.h:
+        (WTF::double_conversion::StringBuilder::SetPosition):
+        (WTF::double_conversion::StringBuilder::AddSubstring):
+
 2013-02-10  Laszlo Gombos  <l.gombos@samsung.com>
 
         Consolidate the way WTF_USE_PTHREADS is enabled
index 1673ac5..f42bc0b 100644 (file)
@@ -111,19 +111,19 @@ public:
 
     bool quickGet(size_t bit) const
     {
-        ASSERT(bit < size());
+        ASSERT_WITH_SECURITY_IMPLICATION(bit < size());
         return !!(bits()[bit / bitsInPointer()] & (static_cast<uintptr_t>(1) << (bit & (bitsInPointer() - 1))));
     }
     
     void quickSet(size_t bit)
     {
-        ASSERT(bit < size());
+        ASSERT_WITH_SECURITY_IMPLICATION(bit < size());
         bits()[bit / bitsInPointer()] |= (static_cast<uintptr_t>(1) << (bit & (bitsInPointer() - 1)));
     }
     
     void quickClear(size_t bit)
     {
-        ASSERT(bit < size());
+        ASSERT_WITH_SECURITY_IMPLICATION(bit < size());
         bits()[bit / bitsInPointer()] &= ~(static_cast<uintptr_t>(1) << (bit & (bitsInPointer() - 1)));
     }
     
index 8278dfe..5264e98 100644 (file)
@@ -57,7 +57,7 @@ public:
         ASSERT(isfinite(d));
         dtoaRoundSF(m_significand, d, significantFigures, m_sign, m_exponent, m_precision);
 
-        ASSERT(significantFigures && significantFigures <= sizeof(DtoaBuffer));
+        ASSERT_WITH_SECURITY_IMPLICATION(significantFigures && significantFigures <= sizeof(DtoaBuffer));
         while (m_precision < significantFigures)
             m_significand[m_precision++] = '0';
 
@@ -72,7 +72,7 @@ public:
         dtoaRoundDP(m_significand, d, decimalPlaces, m_sign, m_exponent, m_precision);
 
         unsigned significantFigures = 1 + m_exponent + decimalPlaces;
-        ASSERT(significantFigures && significantFigures <= sizeof(DtoaBuffer));
+        ASSERT_WITH_SECURITY_IMPLICATION(significantFigures && significantFigures <= sizeof(DtoaBuffer));
         while (m_precision < significantFigures)
             m_significand[m_precision++] = '0';
 
index 5b3e280..b5bf999 100644 (file)
@@ -255,7 +255,7 @@ namespace WTF {
 
         void ensureSegment(size_t segmentIndex, size_t size)
         {
-            ASSERT(segmentIndex <= m_segments.size());
+            ASSERT_WITH_SECURITY_IMPLICATION(segmentIndex <= m_segments.size());
             if (segmentIndex == m_segments.size())
                 m_segments.append(new Segment);
             m_segments[segmentIndex]->grow(size);
index 389b2db..09f447a 100644 (file)
@@ -50,7 +50,7 @@ StringPrintStream::~StringPrintStream()
 
 void StringPrintStream::vprintf(const char* format, va_list argList)
 {
-    ASSERT(m_next < m_size);
+    ASSERT_WITH_SECURITY_IMPLICATION(m_next < m_size);
     ASSERT(!m_buffer[m_next]);
     
     va_list firstPassArgList;
@@ -82,7 +82,7 @@ void StringPrintStream::vprintf(const char* format, va_list argList)
     
     m_next += numberOfBytesNotIncludingTerminatorThatWereWritten;
     
-    ASSERT(m_next < m_size);
+    ASSERT_WITH_SECURITY_IMPLICATION(m_next < m_size);
     ASSERT(!m_buffer[m_next]);
 }
 
index 63eb5d5..b76c61d 100644 (file)
@@ -1048,7 +1048,7 @@ namespace WTF {
     template<typename T, size_t inlineCapacity> template<typename U>
     void Vector<T, inlineCapacity>::insert(size_t position, const U* data, size_t dataSize)
     {
-        ASSERT(position <= size());
+        ASSERT_WITH_SECURITY_IMPLICATION(position <= size());
         size_t newSize = m_size + dataSize;
         if (newSize > capacity()) {
             data = expandCapacity(newSize, data);
@@ -1067,7 +1067,7 @@ namespace WTF {
     template<typename T, size_t inlineCapacity> template<typename U>
     inline void Vector<T, inlineCapacity>::insert(size_t position, const U& val)
     {
-        ASSERT(position <= size());
+        ASSERT_WITH_SECURITY_IMPLICATION(position <= size());
         const U* data = &val;
         if (size() == capacity()) {
             data = expandCapacity(size() + 1, data);
@@ -1107,7 +1107,7 @@ namespace WTF {
     template<typename T, size_t inlineCapacity>
     inline void Vector<T, inlineCapacity>::remove(size_t position)
     {
-        ASSERT(position < size());
+        ASSERT_WITH_SECURITY_IMPLICATION(position < size());
         T* spot = begin() + position;
         spot->~T();
         TypeOperations::moveOverlapping(spot + 1, end(), spot);
@@ -1117,8 +1117,8 @@ namespace WTF {
     template<typename T, size_t inlineCapacity>
     inline void Vector<T, inlineCapacity>::remove(size_t position, size_t length)
     {
-        ASSERT(position <= size());
-        ASSERT(position + length <= size());
+        ASSERT_WITH_SECURITY_IMPLICATION(position <= size());
+        ASSERT_WITH_SECURITY_IMPLICATION(position + length <= size());
         T* beginSpot = begin() + position;
         T* endSpot = beginSpot + length;
         TypeOperations::destruct(beginSpot, endSpot); 
index da6e132..ab8f251 100644 (file)
@@ -202,7 +202,7 @@ namespace double_conversion {
         void SetPosition(int position)
         {
             ASSERT(!is_finalized());
-            ASSERT(position < size());
+            ASSERT_WITH_SECURITY_IMPLICATION(position < size());
             position_ = position;
         }
         
@@ -228,7 +228,7 @@ namespace double_conversion {
         // builder. The input string must have enough characters.
         void AddSubstring(const char* s, int n) {
             ASSERT(!is_finalized() && position_ + n < buffer_.length());
-            ASSERT(static_cast<size_t>(n) <= strlen(s));
+            ASSERT_WITH_SECURITY_IMPLICATION(static_cast<size_t>(n) <= strlen(s));
             memcpy(&buffer_[position_], s, n * kCharSize);
             position_ += n;
         }
index 1afd938..5dde927 100644 (file)
@@ -1,3 +1,57 @@
+2013-02-11  Abhishek Arya  <inferno@chromium.org>
+
+        Add ASSERT_WITH_SECURITY_IMPLICATION to detect out of bounds access
+        https://bugs.webkit.org/show_bug.cgi?id=108981
+
+        Reviewed by Eric Seidel.
+
+        * Modules/mediastream/RTCStatsResponse.cpp:
+        (WebCore::RTCStatsResponse::addElement):
+        (WebCore::RTCStatsResponse::addStatistic):
+        * Modules/websockets/WebSocketChannel.cpp:
+        (WebCore::WebSocketChannel::skipBuffer):
+        * css/CSSCalculationValue.cpp:
+        (WebCore::CSSCalcExpressionNodeParser::parseValueMultiplicativeExpression):
+        (WebCore::CSSCalcExpressionNodeParser::parseAdditiveValueExpression):
+        * css/WebKitCSSTransformValue.cpp:
+        (WebCore::transformValueToCssString):
+        * editing/TextIterator.cpp:
+        (WebCore::SearchBuffer::search):
+        * html/HTMLElement.cpp:
+        (WebCore::parseColorStringWithCrazyLegacyRules):
+        * html/ImageData.cpp:
+        (WebCore::ImageData::ImageData):
+        * html/shadow/DateTimeSymbolicFieldElement.cpp:
+        (WebCore::DateTimeSymbolicFieldElement::DateTimeSymbolicFieldElement):
+        * html/track/TextTrackCueList.cpp:
+        (WebCore::TextTrackCueList::add):
+        * platform/SharedBuffer.cpp:
+        (WebCore::SharedBuffer::getSomeData):
+        * platform/SharedBufferChunkReader.cpp:
+        (WebCore::SharedBufferChunkReader::nextChunk):
+        * platform/audio/HRTFDatabase.cpp:
+        (WebCore::HRTFDatabase::getKernelsFromAzimuthElevation):
+        * platform/graphics/GlyphPageTreeNode.cpp:
+        (WebCore::GlyphPageTreeNode::initializePage):
+        * platform/graphics/Region.cpp:
+        (WebCore::Region::Shape::segments_end):
+        * platform/graphics/filters/FEComponentTransfer.cpp:
+        (WebCore::FEComponentTransfer::getValues):
+        * platform/graphics/filters/FilterEffect.cpp:
+        (WebCore::FilterEffect::inputEffect):
+        * platform/text/TextCodecUTF8.cpp:
+        (WebCore::TextCodecUTF8::decode):
+        * platform/text/mac/TextCodecMac.cpp:
+        (WebCore::TextCodecMac::decode):
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::RenderBlock::checkFloatsInCleanLine):
+        * svg/SVGAnimatedTypeAnimator.h:
+        (WebCore::SVGAnimatedTypeAnimator::executeAction):
+        * svg/SVGAnimationElement.cpp:
+        (WebCore::SVGAnimationElement::calculatePercentForSpline):
+        * svg/animation/SVGSMILElement.cpp:
+        (WebCore::SVGSMILElement::findInstanceTime):
+
 2013-02-10  Chris Fleizach  <cfleizach@apple.com>
 
         WebSpeech: Implement basic speaking/finished speaking behavior
index 2f450f0..e375cbe 100644 (file)
@@ -47,13 +47,13 @@ size_t RTCStatsResponse::addReport()
 
 void RTCStatsResponse::addElement(size_t report, bool isLocal, double timestamp)
 {
-    ASSERT(report >= 0 && report < m_result.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(report >= 0 && report < m_result.size());
     m_result[report]->addElement(isLocal, timestamp);
 }
 
 void RTCStatsResponse::addStatistic(size_t report, bool isLocal, String name, String value)
 {
-    ASSERT(report >= 0 && report < m_result.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(report >= 0 && report < m_result.size());
     m_result[report]->addStatistic(isLocal, name, value);
 }
 
index 476c292..dcb5b15 100644 (file)
@@ -396,7 +396,7 @@ bool WebSocketChannel::appendToBuffer(const char* data, size_t len)
 
 void WebSocketChannel::skipBuffer(size_t len)
 {
-    ASSERT(len <= m_buffer.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(len <= m_buffer.size());
     memmove(m_buffer.data(), m_buffer.data() + len, m_buffer.size() - len);
     m_buffer.resize(m_buffer.size() - len);
 }
index e87401a..b7f498d 100644 (file)
@@ -488,7 +488,7 @@ private:
                 return false;
         }
 
-        ASSERT(*index <= tokens->size());
+        ASSERT_WITH_SECURITY_IMPLICATION(*index <= tokens->size());
         return true;
     }
 
@@ -515,7 +515,7 @@ private:
                 return false;
         }
 
-        ASSERT(*index <= tokens->size());
+        ASSERT_WITH_SECURITY_IMPLICATION(*index <= tokens->size());
         return true;
     }
 
index 364eb02..c51e958 100644 (file)
@@ -62,7 +62,7 @@ const char* const transformNamePrefixes[] = {
 static inline String transformValueToCssString(WebKitCSSTransformValue::TransformOperationType operation, const String& value)
 {
     if (operation != WebKitCSSTransformValue::UnknownTransformOperation) {
-        ASSERT(static_cast<size_t>(operation) < WTF_ARRAY_LENGTH(transformNamePrefixes));
+        ASSERT_WITH_SECURITY_IMPLICATION(static_cast<size_t>(operation) < WTF_ARRAY_LENGTH(transformNamePrefixes));
         return makeString(transformNamePrefixes[operation], value, ')');
     }
     return String();
index fba9b8d..e7216fc 100644 (file)
@@ -2274,7 +2274,7 @@ nextMatch:
     }
 
     size_t matchedLength = usearch_getMatchedLength(searcher);
-    ASSERT(matchStart + matchedLength <= size);
+    ASSERT_WITH_SECURITY_IMPLICATION(matchStart + matchedLength <= size);
 
     // If this match is "bad", move on to the next match.
     if (isBadMatch(m_buffer.data() + matchStart, matchedLength) || ((m_options & AtWordStarts) && !isWordStartMatch(matchStart, matchedLength))) {
index bd792e9..b59182a 100644 (file)
@@ -1134,7 +1134,7 @@ static RGBA32 parseColorStringWithCrazyLegacyRules(const String& colorString)
     ASSERT(greenIndex >= componentLength);
     ASSERT(greenIndex + 1 < componentLength * 2);
     ASSERT(blueIndex >= componentLength * 2);
-    ASSERT(blueIndex + 1 < digitBuffer.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(blueIndex + 1 < digitBuffer.size());
 
     int redValue = toASCIIHexValue(digitBuffer[redIndex], digitBuffer[redIndex + 1]);
     int greenValue = toASCIIHexValue(digitBuffer[greenIndex], digitBuffer[greenIndex + 1]);
index 9015827..57afb0b 100644 (file)
@@ -67,7 +67,7 @@ ImageData::ImageData(const IntSize& size, PassRefPtr<Uint8ClampedArray> byteArra
     : m_size(size)
     , m_data(byteArray)
 {
-    ASSERT(static_cast<unsigned>(size.width() * size.height() * 4) <= m_data->length());
+    ASSERT_WITH_SECURITY_IMPLICATION(static_cast<unsigned>(size.width() * size.height() * 4) <= m_data->length());
 }
 
 }
index c899beb..ccd0e8b 100644 (file)
@@ -58,7 +58,7 @@ DateTimeSymbolicFieldElement::DateTimeSymbolicFieldElement(Document* document, F
 {
     ASSERT(!symbols.isEmpty());
     ASSERT(m_minimumIndex >= 0);
-    ASSERT(m_maximumIndex < static_cast<int>(m_symbols.size()));
+    ASSERT_WITH_SECURITY_IMPLICATION(m_maximumIndex < static_cast<int>(m_symbols.size()));
     ASSERT(m_minimumIndex <= m_maximumIndex);
 }
 
index 2fbb610..e8695af 100644 (file)
@@ -85,8 +85,8 @@ bool TextTrackCueList::add(PassRefPtr<TextTrackCue> cue)
 
 bool TextTrackCueList::add(PassRefPtr<TextTrackCue> prpCue, size_t start, size_t end)
 {
-    ASSERT(start <= m_list.size());
-    ASSERT(end <= m_list.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(start <= m_list.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(end <= m_list.size());
 
     // Maintain text track cue order:
     // http://www.whatwg.org/specs/web-apps/current-work/#text-track-cue-order
index 90f82da..38aeb1a 100644 (file)
@@ -293,12 +293,12 @@ unsigned SharedBuffer::getSomeData(const char*& someData, unsigned position) con
     }
 
     if (hasPlatformData() || m_purgeableBuffer) {
-        ASSERT(position < size());
+        ASSERT_WITH_SECURITY_IMPLICATION(position < size());
         someData = data() + position;
         return totalSize - position;
     }
 
-    ASSERT(position < m_size);
+    ASSERT_WITH_SECURITY_IMPLICATION(position < m_size);
     unsigned consecutiveSize = m_buffer.size();
     if (position < consecutiveSize) {
         someData = m_buffer.data() + position;
index 08feb32..5d776ad 100644 (file)
@@ -81,7 +81,7 @@ bool SharedBufferChunkReader::nextChunk(Vector<char>& chunk, bool includeSeparat
             char currentCharacter = m_segment[m_segmentIndex++];
             if (currentCharacter != m_separator[m_separatorIndex]) {
                 if (m_separatorIndex > 0) {
-                    ASSERT(m_separatorIndex <= m_separator.size());
+                    ASSERT_WITH_SECURITY_IMPLICATION(m_separatorIndex <= m_separator.size());
                     chunk.append(m_separator.data(), m_separatorIndex);
                     m_separatorIndex = 0;
                 }
index 0111de0..46469ea 100644 (file)
@@ -89,7 +89,7 @@ void HRTFDatabase::getKernelsFromAzimuthElevation(double azimuthBlend, unsigned
                                                   double& frameDelayL, double& frameDelayR)
 {
     unsigned elevationIndex = indexFromElevationAngle(elevationAngle);
-    ASSERT(elevationIndex < m_elevations.size() && m_elevations.size() > 0);
+    ASSERT_WITH_SECURITY_IMPLICATION(elevationIndex < m_elevations.size() && m_elevations.size() > 0);
     
     if (!m_elevations.size()) {
         kernelL = 0;
index 757f3f3..7e7ce7e 100644 (file)
@@ -238,7 +238,7 @@ void GlyphPageTreeNode::initializePage(const FontData* fontData, unsigned pageNu
                         }
                         haveGlyphs |= fill(pageToFill, from, to - from, buffer + from * (start < 0x10000 ? 1 : 2), (to - from) * (start < 0x10000 ? 1 : 2), range.fontData().get());
                         if (scratchPage) {
-                            ASSERT(to <=  static_cast<int>(GlyphPage::size));
+                            ASSERT_WITH_SECURITY_IMPLICATION(to <=  static_cast<int>(GlyphPage::size));
                             for (int j = from; j < to; j++) {
                                 if (!m_page->glyphAt(j) && pageToFill->glyphAt(j))
                                     m_page->setGlyphDataForIndex(j, pageToFill->glyphDataForIndex(j));
index 5e4c046..465a37c 100644 (file)
@@ -312,7 +312,7 @@ Region::Shape::SegmentIterator Region::Shape::segments_end(SpanIterator it) cons
     ASSERT(it + 1 < m_spans.data() + m_spans.size());
     size_t segmentIndex = (it + 1)->segmentIndex;
 
-    ASSERT(segmentIndex <= m_segments.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(segmentIndex <= m_segments.size());
     return m_segments.data() + segmentIndex;
 }
 
index a937148..2294426 100644 (file)
@@ -183,7 +183,7 @@ void FEComponentTransfer::getValues(unsigned char rValues[256], unsigned char gV
     TransferType callEffect[] = {identity, identity, table, discrete, linear, gamma};
 
     for (unsigned channel = 0; channel < 4; channel++) {
-        ASSERT(static_cast<size_t>(transferFunction[channel].type) < WTF_ARRAY_LENGTH(callEffect));
+        ASSERT_WITH_SECURITY_IMPLICATION(static_cast<size_t>(transferFunction[channel].type) < WTF_ARRAY_LENGTH(callEffect));
         (*callEffect[transferFunction[channel].type])(tables[channel], transferFunction[channel]);
     }
 }
index d7354f6..8ad8fb7 100644 (file)
@@ -93,7 +93,7 @@ IntRect FilterEffect::drawingRegionOfInputImage(const IntRect& srcRect) const
 
 FilterEffect* FilterEffect::inputEffect(unsigned number) const
 {
-    ASSERT(number < m_inputEffects.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(number < m_inputEffects.size());
     return m_inputEffects.at(number).get();
 }
 
index f7376ac..0fa6df7 100644 (file)
@@ -316,7 +316,7 @@ String TextCodecUTF8::decode(const char* bytes, size_t length, bool flush, bool
                 character = nonCharacter;
             else {
                 if (count > end - source) {
-                    ASSERT(end - source < static_cast<ptrdiff_t>(sizeof(m_partialSequence)));
+                    ASSERT_WITH_SECURITY_IMPLICATION(end - source < static_cast<ptrdiff_t>(sizeof(m_partialSequence)));
                     ASSERT(!m_partialSequenceSize);
                     m_partialSequenceSize = end - source;
                     memcpy(m_partialSequence, source, m_partialSequenceSize);
@@ -393,7 +393,7 @@ upConvertTo16Bit:
                 character = nonCharacter;
             else {
                 if (count > end - source) {
-                    ASSERT(end - source < static_cast<ptrdiff_t>(sizeof(m_partialSequence)));
+                    ASSERT_WITH_SECURITY_IMPLICATION(end - source < static_cast<ptrdiff_t>(sizeof(m_partialSequence)));
                     ASSERT(!m_partialSequenceSize);
                     m_partialSequenceSize = end - source;
                     memcpy(m_partialSequence, source, m_partialSequenceSize);
index a704749..8d86204 100644 (file)
@@ -140,7 +140,7 @@ OSStatus TextCodecMac::decode(const unsigned char* inputBuffer, int inputBufferL
         // Finish converting a partial character that's in our buffer.
         
         // First, fill the partial character buffer with as many bytes as are available.
-        ASSERT(m_numBufferedBytes < sizeof(m_bufferedBytes));
+        ASSERT_WITH_SECURITY_IMPLICATION(m_numBufferedBytes < sizeof(m_bufferedBytes));
         const int spaceInBuffer = sizeof(m_bufferedBytes) - m_numBufferedBytes;
         const int bytesToPutInBuffer = min(spaceInBuffer, inputBufferLength);
         ASSERT(bytesToPutInBuffer != 0);
index d00488f..248874c 100644 (file)
@@ -1914,7 +1914,7 @@ void RenderBlock::checkFloatsInCleanLine(RootInlineBox* line, Vector<FloatWithRe
         RenderBox* floatingBox = *it;
         floatingBox->layoutIfNeeded();
         LayoutSize newSize(floatingBox->width() + floatingBox->marginWidth(), floatingBox->height() + floatingBox->marginHeight());
-        ASSERT(floatIndex < floats.size());
+        ASSERT_WITH_SECURITY_IMPLICATION(floatIndex < floats.size());
         if (floats[floatIndex].object != floatingBox) {
             encounteredNewFloat = true;
             return;
index f3f0bc0..2f0dfb6 100644 (file)
@@ -262,7 +262,7 @@ private:
 
         SVGElementAnimatedPropertyList::const_iterator end = animatedTypes.end();
         for (SVGElementAnimatedPropertyList::const_iterator it = animatedTypes.begin(); it != end; ++it) {
-            ASSERT(whichProperty < it->properties.size());
+            ASSERT_WITH_SECURITY_IMPLICATION(whichProperty < it->properties.size());
             AnimValType* property = castAnimatedPropertyToActualType<AnimValType>(it->properties[whichProperty].get());
 
             switch (action) {
index 4e9d685..5b814e3 100644 (file)
@@ -431,7 +431,7 @@ unsigned SVGAnimationElement::calculateKeyTimesIndex(float percent) const
 float SVGAnimationElement::calculatePercentForSpline(float percent, unsigned splineIndex) const
 {
     ASSERT(calcMode() == CalcModeSpline);
-    ASSERT(splineIndex < m_keySplines.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(splineIndex < m_keySplines.size());
     UnitBezier bezier = m_keySplines[splineIndex];
     SMILTime duration = simpleDuration();
     if (!duration.isFinite())
index cb8a444..ba3f873 100644 (file)
@@ -742,7 +742,7 @@ SMILTime SVGSMILElement::findInstanceTime(BeginOrEnd beginOrEnd, SMILTime minimu
 
     const SMILTimeWithOrigin* result = approximateBinarySearch<const SMILTimeWithOrigin, SMILTime>(list, sizeOfList, minimumTime, extractTimeFromVector);
     int indexOfResult = result - list.begin();
-    ASSERT(indexOfResult < sizeOfList);
+    ASSERT_WITH_SECURITY_IMPLICATION(indexOfResult < sizeOfList);
     const SMILTime& currentTime = list[indexOfResult].time();
 
     // The special value "indefinite" does not yield an instance time in the begin list.
index 35a0a7d..9f67f03 100644 (file)
@@ -1,3 +1,20 @@
+2013-02-11  Abhishek Arya  <inferno@chromium.org>
+
+        Add ASSERT_WITH_SECURITY_IMPLICATION to detect out of bounds access
+        https://bugs.webkit.org/show_bug.cgi?id=108981
+
+        Reviewed by Eric Seidel.
+
+        * src/AutofillPopupMenuClient.cpp:
+        (WebKit::AutofillPopupMenuClient::getSuggestion):
+        (WebKit::AutofillPopupMenuClient::getLabel):
+        (WebKit::AutofillPopupMenuClient::getIcon):
+        (WebKit::AutofillPopupMenuClient::removeSuggestionAtIndex):
+        (WebKit::AutofillPopupMenuClient::valueChanged):
+        (WebKit::AutofillPopupMenuClient::selectionChanged):
+        * src/ChromeClientImpl.cpp:
+        (WebKit::ChromeClientImpl::shouldRunModalDialogDuringPageDismissal):
+
 2013-02-10  James Robinson  <jamesr@chromium.org>
 
         [chromium] Enable more of webkit_unit_tests in component builds
index 66cb82b..ad29797 100644 (file)
@@ -69,19 +69,19 @@ unsigned AutofillPopupMenuClient::getSuggestionsCount() const
 
 WebString AutofillPopupMenuClient::getSuggestion(unsigned listIndex) const
 {
-    ASSERT(listIndex < m_names.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(listIndex < m_names.size());
     return m_names[listIndex];
 }
 
 WebString AutofillPopupMenuClient::getLabel(unsigned listIndex) const
 {
-    ASSERT(listIndex < m_labels.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(listIndex < m_labels.size());
     return m_labels[listIndex];
 }
 
 WebString AutofillPopupMenuClient::getIcon(unsigned listIndex) const
 {
-    ASSERT(listIndex < m_icons.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(listIndex < m_icons.size());
     return m_icons[listIndex];
 }
 
@@ -90,7 +90,7 @@ void AutofillPopupMenuClient::removeSuggestionAtIndex(unsigned listIndex)
     if (!canRemoveSuggestionAtIndex(listIndex))
         return;
 
-    ASSERT(listIndex < m_names.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(listIndex < m_names.size());
 
     m_names.remove(listIndex);
     m_labels.remove(listIndex);
@@ -109,7 +109,7 @@ void AutofillPopupMenuClient::valueChanged(unsigned listIndex, bool fireEvents)
     if (!webView)
         return;
 
-    ASSERT(listIndex < m_names.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(listIndex < m_names.size());
 
     if (m_useLegacyBehavior) {
         for (size_t i = 0; i < m_itemIDs.size(); ++i) {
@@ -134,7 +134,7 @@ void AutofillPopupMenuClient::selectionChanged(unsigned listIndex, bool fireEven
     if (!webView)
         return;
 
-    ASSERT(listIndex < m_names.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(listIndex < m_names.size());
 
     webView->autofillClient()->didSelectAutofillSuggestion(WebNode(getTextField()),
                                                            m_names[listIndex],
index d30f7c0..8cb6c8a 100644 (file)
@@ -1095,11 +1095,11 @@ bool ChromeClientImpl::shouldRunModalDialogDuringPageDismissal(const DialogType&
 {
     const char* kDialogs[] = {"alert", "confirm", "prompt", "showModalDialog"};
     int dialog = static_cast<int>(dialogType);
-    ASSERT(0 <= dialog && dialog < static_cast<int>(arraysize(kDialogs)));
+    ASSERT_WITH_SECURITY_IMPLICATION(0 <= dialog && dialog < static_cast<int>(arraysize(kDialogs)));
 
     const char* kDismissals[] = {"beforeunload", "pagehide", "unload"};
     int dismissal = static_cast<int>(dismissalType) - 1; // Exclude NoDismissal.
-    ASSERT(0 <= dismissal && dismissal < static_cast<int>(arraysize(kDismissals)));
+    ASSERT_WITH_SECURITY_IMPLICATION(0 <= dismissal && dismissal < static_cast<int>(arraysize(kDismissals)));
 
     WebKit::Platform::current()->histogramEnumeration("Renderer.ModalDialogsDuringPageDismissal", dismissal * arraysize(kDialogs) + dialog, arraysize(kDialogs) * arraysize(kDismissals));