Add ASSERT_WITH_SECURITY_IMPLICATION to detect out of bounds access
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 4 Feb 2013 22:36:56 +0000 (22:36 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 4 Feb 2013 22:36:56 +0000 (22:36 +0000)
https://bugs.webkit.org/show_bug.cgi?id=108668

Reviewed by Eric Seidel.

Source/WebCore:

* bindings/v8/SerializedScriptValue.cpp:
* css/CSSCalculationValue.cpp:
(WebCore::CSSCalcExpressionNodeParser::parseCalc):
* css/CSSImageSetValue.cpp:
(WebCore::CSSImageSetValue::fillImageSet):
(WebCore::CSSImageSetValue::customCssText):
* css/CSSParserValues.h:
(WebCore::CSSParserString::operator[]):
* css/CSSValueList.h:
(WebCore::CSSValueListInspector::item):
* css/StyleSheetContents.cpp:
(WebCore::StyleSheetContents::ruleAt):
(WebCore::StyleSheetContents::wrapperInsertRule):
(WebCore::StyleSheetContents::wrapperDeleteRule):
* dom/Document.cpp:
(WebCore::Document::processArguments):
* dom/Element.cpp:
(WebCore::Element::removeAttributeInternal):
* dom/ElementAttributeData.cpp:
(WebCore::ElementAttributeData::removeAttribute):
* dom/ElementAttributeData.h:
(WebCore::ElementAttributeData::attributeItem):
* dom/SpaceSplitString.h:
(WebCore::SpaceSplitStringData::operator[]):
(WebCore::SpaceSplitString::operator[]):
* editing/TextIterator.cpp:
(WebCore::TextIterator::characterAt):
* html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::removeFormElement):
* html/HTMLSelectElementWin.cpp:
(WebCore::HTMLSelectElement::platformHandleKeydownEvent):
* html/canvas/WebGLRenderingContext.cpp:
(WebCore):
* html/parser/HTMLFormattingElementList.cpp:
(WebCore::HTMLFormattingElementList::swapTo):
* inspector/InspectorStyleSheet.cpp:
(WebCore::InspectorStyleSheet::styleSheetTextWithChangedStyle):
* inspector/InspectorStyleTextEditor.cpp:
(WebCore::InspectorStyleTextEditor::replaceProperty):
* inspector/InspectorValues.cpp:
(WebCore::InspectorArrayBase::get):
* page/WindowFeatures.cpp:
(WebCore::WindowFeatures::WindowFeatures):
* platform/audio/AudioArray.h:
(WebCore::AudioArray::at):
* platform/audio/AudioFIFO.cpp:
(WebCore::AudioFIFO::findWrapLengths):
* platform/graphics/GlyphPage.h:
(WebCore::GlyphPage::glyphDataForIndex):
(WebCore::GlyphPage::glyphAt):
(WebCore::GlyphPage::setGlyphDataForIndex):
* platform/graphics/TextRun.h:
(WebCore::TextRun::operator[]):
(WebCore::TextRun::data8):
(WebCore::TextRun::data16):
* platform/graphics/harfbuzz/HarfBuzzShaper.cpp:
(WebCore::HarfBuzzShaper::setDrawRange):
* platform/graphics/openvg/TiledImageOpenVG.cpp:
(WebCore::TiledImageOpenVG::setTile):
(WebCore::TiledImageOpenVG::tile):
* platform/image-decoders/ico/ICOImageDecoder.cpp:
(WebCore::ICOImageDecoder::decodeAtIndex):
(WebCore::ICOImageDecoder::imageTypeAtIndex):
* platform/text/QuotedPrintable.cpp:
(WebCore::lengthOfLineEndingAtIndex):
* platform/text/SegmentedString.cpp:
(WebCore::SegmentedString::advance):
* platform/win/WebCoreTextRenderer.cpp:
(WebCore::doDrawTextAtPoint):
* rendering/InlineTextBox.cpp:
(WebCore::InlineTextBox::paint):
(WebCore::InlineTextBox::paintSelection):

Source/WebKit/chromium:

* src/ContextFeaturesClientImpl.cpp:
(WebKit::ContextFeaturesCache::entryFor):
* src/WebFrameImpl.cpp:
(WebKit::WebFrameImpl::selectFindMatch):

Source/WebKit2:

* Shared/mac/SandboxExtensionMac.mm:
(WebKit::SandboxExtension::HandleArray::operator[]):

Source/WTF:

* wtf/AVLTree.h:
(WTF::AVLTreeDefaultBSet::operator[]):
* wtf/BitArray.h:
(WTF::BitArray::set):
(WTF::BitArray::get):
* wtf/FastBitVector.h:
(WTF::FastBitVector::set):
(WTF::FastBitVector::clear):
(WTF::FastBitVector::get):
* wtf/FixedArray.h:
(WTF::FixedArray::operator[]):
* wtf/RefCountedArray.h:
(WTF::RefCountedArray::at):
* wtf/TypedArrayBase.h:
(WTF::TypedArrayBase::item):
* wtf/text/StringBuffer.h:
(WTF::StringBuffer::operator[]):
* wtf/text/StringBuilder.h:
(WTF::StringBuilder::operator[]):
* wtf/text/StringImpl.h:
(WTF::StringImpl::operator[]):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@141816 268f45cc-cd09-0410-ab3c-d52691b4dbfc

47 files changed:
Source/WTF/ChangeLog
Source/WTF/wtf/AVLTree.h
Source/WTF/wtf/BitArray.h
Source/WTF/wtf/FastBitVector.h
Source/WTF/wtf/FixedArray.h
Source/WTF/wtf/RefCountedArray.h
Source/WTF/wtf/TypedArrayBase.h
Source/WTF/wtf/text/StringBuffer.h
Source/WTF/wtf/text/StringBuilder.h
Source/WTF/wtf/text/StringImpl.h
Source/WebCore/ChangeLog
Source/WebCore/bindings/v8/SerializedScriptValue.cpp
Source/WebCore/css/CSSCalculationValue.cpp
Source/WebCore/css/CSSImageSetValue.cpp
Source/WebCore/css/CSSParserValues.h
Source/WebCore/css/CSSValueList.h
Source/WebCore/css/StyleSheetContents.cpp
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/Element.cpp
Source/WebCore/dom/ElementAttributeData.cpp
Source/WebCore/dom/ElementAttributeData.h
Source/WebCore/dom/SpaceSplitString.h
Source/WebCore/editing/TextIterator.cpp
Source/WebCore/html/HTMLFormElement.cpp
Source/WebCore/html/HTMLSelectElementWin.cpp
Source/WebCore/html/canvas/WebGLRenderingContext.cpp
Source/WebCore/html/parser/HTMLFormattingElementList.cpp
Source/WebCore/inspector/InspectorStyleSheet.cpp
Source/WebCore/inspector/InspectorStyleTextEditor.cpp
Source/WebCore/inspector/InspectorValues.cpp
Source/WebCore/page/WindowFeatures.cpp
Source/WebCore/platform/audio/AudioArray.h
Source/WebCore/platform/audio/AudioFIFO.cpp
Source/WebCore/platform/graphics/GlyphPage.h
Source/WebCore/platform/graphics/TextRun.h
Source/WebCore/platform/graphics/harfbuzz/HarfBuzzShaper.cpp
Source/WebCore/platform/graphics/openvg/TiledImageOpenVG.cpp
Source/WebCore/platform/image-decoders/ico/ICOImageDecoder.cpp
Source/WebCore/platform/text/QuotedPrintable.cpp
Source/WebCore/platform/text/SegmentedString.cpp
Source/WebCore/platform/win/WebCoreTextRenderer.cpp
Source/WebCore/rendering/InlineTextBox.cpp
Source/WebKit/chromium/ChangeLog
Source/WebKit/chromium/src/ContextFeaturesClientImpl.cpp
Source/WebKit/chromium/src/WebFrameImpl.cpp
Source/WebKit2/ChangeLog
Source/WebKit2/Shared/mac/SandboxExtensionMac.mm

index 9d1223f..6790466 100644 (file)
@@ -1,3 +1,32 @@
+2013-02-04  Abhishek Arya  <inferno@chromium.org>
+
+        Add ASSERT_WITH_SECURITY_IMPLICATION to detect out of bounds access
+        https://bugs.webkit.org/show_bug.cgi?id=108668
+
+        Reviewed by Eric Seidel.
+
+        * wtf/AVLTree.h:
+        (WTF::AVLTreeDefaultBSet::operator[]):
+        * wtf/BitArray.h:
+        (WTF::BitArray::set):
+        (WTF::BitArray::get):
+        * wtf/FastBitVector.h:
+        (WTF::FastBitVector::set):
+        (WTF::FastBitVector::clear):
+        (WTF::FastBitVector::get):
+        * wtf/FixedArray.h:
+        (WTF::FixedArray::operator[]):
+        * wtf/RefCountedArray.h:
+        (WTF::RefCountedArray::at):
+        * wtf/TypedArrayBase.h:
+        (WTF::TypedArrayBase::item):
+        * wtf/text/StringBuffer.h:
+        (WTF::StringBuffer::operator[]):
+        * wtf/text/StringBuilder.h:
+        (WTF::StringBuilder::operator[]):
+        * wtf/text/StringImpl.h:
+        (WTF::StringImpl::operator[]):
+
 2013-02-04  Benjamin Poulain  <benjamin@webkit.org>
 
         Upstream iOS's AtomicString
index f2f82e1..61f627e 100644 (file)
@@ -66,7 +66,7 @@ namespace WTF {
 template<unsigned maxDepth>
 class AVLTreeDefaultBSet {
 public:
-    bool& operator[](unsigned i) { ASSERT(i < maxDepth); return m_data[i]; }
+    bool& operator[](unsigned i) { ASSERT_WITH_SECURITY_IMPLICATION(i < maxDepth); return m_data[i]; }
     void set() { for (unsigned i = 0; i < maxDepth; ++i) m_data[i] = true; }
     void reset() { for (unsigned i = 0; i < maxDepth; ++i) m_data[i] = false; }
 
index b1ef227..9ad1e0a 100644 (file)
@@ -41,13 +41,13 @@ public:
 
     void set(unsigned index)
     {
-        ASSERT(index < arraySize);
+        ASSERT_WITH_SECURITY_IMPLICATION(index < arraySize);
         m_data[index / 8] |= 1 << (index & 7);
     }
 
     bool get(unsigned index) const
     {
-        ASSERT(index < arraySize);
+        ASSERT_WITH_SECURITY_IMPLICATION(index < arraySize);
         return !!(m_data[index / 8] & (1 << (index & 7)));
     }
 
index 97f9adf..c34dcf5 100644 (file)
@@ -146,13 +146,13 @@ public:
     
     void set(size_t i)
     {
-        ASSERT(i < m_numBits);
+        ASSERT_WITH_SECURITY_IMPLICATION(i < m_numBits);
         m_array[i >> 5] |= (1 << (i & 31));
     }
     
     void clear(size_t i)
     {
-        ASSERT(i < m_numBits);
+        ASSERT_WITH_SECURITY_IMPLICATION(i < m_numBits);
         m_array[i >> 5] &= ~(1 << (i & 31));
     }
     
@@ -166,7 +166,7 @@ public:
     
     bool get(size_t i) const
     {
-        ASSERT(i < m_numBits);
+        ASSERT_WITH_SECURITY_IMPLICATION(i < m_numBits);
         return !!(m_array[i >> 5] & (1 << (i & 31)));
     }
 private:
index c67d18c..c50a12b 100644 (file)
@@ -34,13 +34,13 @@ template <typename T, size_t Size> class FixedArray {
 public:
     T& operator[](size_t i)
     {
-        ASSERT(i < Size);
+        ASSERT_WITH_SECURITY_IMPLICATION(i < Size);
         return m_data[i];
     }
 
     const T& operator[](size_t i) const
     {
-        ASSERT(i < Size);
+        ASSERT_WITH_SECURITY_IMPLICATION(i < Size);
         return m_data[i];
     }
 
index 289f1fc..274af98 100644 (file)
@@ -118,13 +118,13 @@ public:
     
     T& at(size_t i)
     {
-        ASSERT(i < size());
+        ASSERT_WITH_SECURITY_IMPLICATION(i < size());
         return begin()[i];
     }
     
     const T& at(size_t i) const
     {
-        ASSERT(i < size());
+        ASSERT_WITH_SECURITY_IMPLICATION(i < size());
         return begin()[i];
     }
     
index 6d2a0f2..ade824f 100644 (file)
@@ -69,7 +69,7 @@ class TypedArrayBase : public ArrayBufferView {
     // is responsible for doing so and returning undefined as necessary.
     T item(unsigned index) const
     {
-        ASSERT(index < TypedArrayBase<T>::m_length);
+        ASSERT_WITH_SECURITY_IMPLICATION(index < TypedArrayBase<T>::m_length);
         return TypedArrayBase<T>::data()[index];
     }
 
index 0f66113..73cde83 100644 (file)
@@ -71,7 +71,7 @@ public:
     unsigned length() const { return m_length; }
     CharType* characters() { return m_data; }
 
-    CharType& operator[](unsigned i) { ASSERT(i < m_length); return m_data[i]; }
+    CharType& operator[](unsigned i) { ASSERT_WITH_SECURITY_IMPLICATION(i < m_length); return m_data[i]; }
 
     CharType* release() { CharType* data = m_data; m_data = 0; return data; }
 
index 9279151..75a8f25 100644 (file)
@@ -217,7 +217,7 @@ public:
 
     UChar operator[](unsigned i) const
     {
-        ASSERT(i < m_length);
+        ASSERT_WITH_SECURITY_IMPLICATION(i < m_length);
         if (m_is8Bit)
             return characters8()[i];
         return characters16()[i];
index 8f54a4b..43952db 100644 (file)
@@ -636,7 +636,7 @@ public:
 
     UChar operator[](unsigned i) const
     {
-        ASSERT(i < m_length);
+        ASSERT_WITH_SECURITY_IMPLICATION(i < m_length);
         if (is8Bit())
             return m_data8[i];
         return m_data16[i];
index 7a32d8a..4d354e9 100644 (file)
@@ -1,3 +1,83 @@
+2013-02-04  Abhishek Arya  <inferno@chromium.org>
+
+        Add ASSERT_WITH_SECURITY_IMPLICATION to detect out of bounds access
+        https://bugs.webkit.org/show_bug.cgi?id=108668
+
+        Reviewed by Eric Seidel.
+
+        * bindings/v8/SerializedScriptValue.cpp:
+        * css/CSSCalculationValue.cpp:
+        (WebCore::CSSCalcExpressionNodeParser::parseCalc):
+        * css/CSSImageSetValue.cpp:
+        (WebCore::CSSImageSetValue::fillImageSet):
+        (WebCore::CSSImageSetValue::customCssText):
+        * css/CSSParserValues.h:
+        (WebCore::CSSParserString::operator[]):
+        * css/CSSValueList.h:
+        (WebCore::CSSValueListInspector::item):
+        * css/StyleSheetContents.cpp:
+        (WebCore::StyleSheetContents::ruleAt):
+        (WebCore::StyleSheetContents::wrapperInsertRule):
+        (WebCore::StyleSheetContents::wrapperDeleteRule):
+        * dom/Document.cpp:
+        (WebCore::Document::processArguments):
+        * dom/Element.cpp:
+        (WebCore::Element::removeAttributeInternal):
+        * dom/ElementAttributeData.cpp:
+        (WebCore::ElementAttributeData::removeAttribute):
+        * dom/ElementAttributeData.h:
+        (WebCore::ElementAttributeData::attributeItem):
+        * dom/SpaceSplitString.h:
+        (WebCore::SpaceSplitStringData::operator[]):
+        (WebCore::SpaceSplitString::operator[]):
+        * editing/TextIterator.cpp:
+        (WebCore::TextIterator::characterAt):
+        * html/HTMLFormElement.cpp:
+        (WebCore::HTMLFormElement::removeFormElement):
+        * html/HTMLSelectElementWin.cpp:
+        (WebCore::HTMLSelectElement::platformHandleKeydownEvent):
+        * html/canvas/WebGLRenderingContext.cpp:
+        (WebCore):
+        * html/parser/HTMLFormattingElementList.cpp:
+        (WebCore::HTMLFormattingElementList::swapTo):
+        * inspector/InspectorStyleSheet.cpp:
+        (WebCore::InspectorStyleSheet::styleSheetTextWithChangedStyle):
+        * inspector/InspectorStyleTextEditor.cpp:
+        (WebCore::InspectorStyleTextEditor::replaceProperty):
+        * inspector/InspectorValues.cpp:
+        (WebCore::InspectorArrayBase::get):
+        * page/WindowFeatures.cpp:
+        (WebCore::WindowFeatures::WindowFeatures):
+        * platform/audio/AudioArray.h:
+        (WebCore::AudioArray::at):
+        * platform/audio/AudioFIFO.cpp:
+        (WebCore::AudioFIFO::findWrapLengths):
+        * platform/graphics/GlyphPage.h:
+        (WebCore::GlyphPage::glyphDataForIndex):
+        (WebCore::GlyphPage::glyphAt):
+        (WebCore::GlyphPage::setGlyphDataForIndex):
+        * platform/graphics/TextRun.h:
+        (WebCore::TextRun::operator[]):
+        (WebCore::TextRun::data8):
+        (WebCore::TextRun::data16):
+        * platform/graphics/harfbuzz/HarfBuzzShaper.cpp:
+        (WebCore::HarfBuzzShaper::setDrawRange):
+        * platform/graphics/openvg/TiledImageOpenVG.cpp:
+        (WebCore::TiledImageOpenVG::setTile):
+        (WebCore::TiledImageOpenVG::tile):
+        * platform/image-decoders/ico/ICOImageDecoder.cpp:
+        (WebCore::ICOImageDecoder::decodeAtIndex):
+        (WebCore::ICOImageDecoder::imageTypeAtIndex):
+        * platform/text/QuotedPrintable.cpp:
+        (WebCore::lengthOfLineEndingAtIndex):
+        * platform/text/SegmentedString.cpp:
+        (WebCore::SegmentedString::advance):
+        * platform/win/WebCoreTextRenderer.cpp:
+        (WebCore::doDrawTextAtPoint):
+        * rendering/InlineTextBox.cpp:
+        (WebCore::InlineTextBox::paint):
+        (WebCore::InlineTextBox::paintSelection):
+
 2013-02-04  Nate Chapin  <japhet@chromium.org>
 
         REGRESSION (r137607): Loading of archives as substitute data is broken
index 82dd3c0..a9f2ffa 100644 (file)
@@ -2203,7 +2203,7 @@ private:
 
     v8::Local<v8::Value> element(unsigned index)
     {
-        ASSERT(index < m_stack.size());
+        ASSERT_WITH_SECURITY_IMPLICATION(index < m_stack.size());
         return m_stack[index];
     }
 
index f1136db..e87401a 100644 (file)
@@ -407,7 +407,7 @@ public:
         unsigned index = 0;
         Value result;
         bool ok = parseValueExpression(tokens, 0, &index, &result);
-        ASSERT(index <= tokens->size());
+        ASSERT_WITH_SECURITY_IMPLICATION(index <= tokens->size());
         if (!ok || index != tokens->size())
             return 0;
         return result.value;
index 0249472..7a6026b 100644 (file)
@@ -66,7 +66,7 @@ void CSSImageSetValue::fillImageSet()
         String imageURL = static_cast<CSSImageValue*>(imageValue)->url();
 
         ++i;
-        ASSERT(i < length);
+        ASSERT_WITH_SECURITY_IMPLICATION(i < length);
         CSSValue* scaleFactorValue = item(i);
         ASSERT_WITH_SECURITY_IMPLICATION(scaleFactorValue->isPrimitiveValue());
         float scaleFactor = static_cast<CSSPrimitiveValue*>(scaleFactorValue)->getFloatValue();
@@ -158,7 +158,7 @@ String CSSImageSetValue::customCssText() const
         result.append(' ');
 
         ++i;
-        ASSERT(i < length);
+        ASSERT_WITH_SECURITY_IMPLICATION(i < length);
         const CSSValue* scaleFactorValue = item(i);
         result.append(scaleFactorValue->cssText());
         // FIXME: Eventually the scale factor should contain it's own unit http://wkb.ug/100120.
index 6ec8049..1b2071d 100644 (file)
@@ -78,7 +78,7 @@ struct CSSParserString {
 
     UChar operator[](unsigned i)
     {
-        ASSERT(i < m_length);
+        ASSERT_WITH_SECURITY_IMPLICATION(i < m_length);
         if (is8Bit())
             return m_data.characters8[i];
         return m_data.characters16[i];
index 3d897bc..22efea1 100644 (file)
@@ -88,7 +88,7 @@ private:
 class CSSValueListInspector {
 public:
     CSSValueListInspector(CSSValue* value) : m_list((value && value->isValueList()) ? static_cast<CSSValueList*>(value) : 0) { }
-    CSSValue* item(size_t index) const { ASSERT(index < length()); return m_list->itemWithoutBoundsCheck(index); }
+    CSSValue* item(size_t index) const { ASSERT_WITH_SECURITY_IMPLICATION(index < length()); return m_list->itemWithoutBoundsCheck(index); }
     CSSValue* first() const { return item(0); }
     CSSValue* second() const { return item(1); }
     size_t length() const { return m_list ? m_list->length() : 0; }
index c2f75c5..0adfa04 100644 (file)
@@ -148,7 +148,7 @@ void StyleSheetContents::parserAppendRule(PassRefPtr<StyleRuleBase> rule)
 
 StyleRuleBase* StyleSheetContents::ruleAt(unsigned index) const
 {
-    ASSERT(index < ruleCount());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < ruleCount());
     
     unsigned childVectorIndex = index;
     if (hasCharsetRule()) {
@@ -198,7 +198,7 @@ void StyleSheetContents::parserSetEncodingFromCharsetRule(const String& encoding
 bool StyleSheetContents::wrapperInsertRule(PassRefPtr<StyleRuleBase> rule, unsigned index)
 {
     ASSERT(m_isMutable);
-    ASSERT(index <= ruleCount());
+    ASSERT_WITH_SECURITY_IMPLICATION(index <= ruleCount());
     // Parser::parseRule doesn't currently allow @charset so we don't need to deal with it.
     ASSERT(!rule->isCharsetRule());
     
@@ -234,7 +234,7 @@ bool StyleSheetContents::wrapperInsertRule(PassRefPtr<StyleRuleBase> rule, unsig
 void StyleSheetContents::wrapperDeleteRule(unsigned index)
 {
     ASSERT(m_isMutable);
-    ASSERT(index < ruleCount());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < ruleCount());
 
     unsigned childVectorIndex = index;
     if (hasCharsetRule()) {
index 6c7781e..6214756 100644 (file)
@@ -2930,7 +2930,7 @@ void Document::processArguments(const String& features, void* data, ArgumentsCal
             i++;
         valueEnd = i;
 
-        ASSERT(i <= length);
+        ASSERT_WITH_SECURITY_IMPLICATION(i <= length);
 
         String keyString = buffer.substring(keyBegin, keyEnd - keyBegin);
         String valueString = buffer.substring(valueBegin, valueEnd - valueBegin);
index 8382c5d..5327c0d 100644 (file)
@@ -1767,7 +1767,7 @@ void Element::setAttributeNS(const AtomicString& namespaceURI, const AtomicStrin
 
 void Element::removeAttributeInternal(size_t index, SynchronizationOfLazyAttribute inSynchronizationOfLazyAttribute)
 {
-    ASSERT(index < attributeCount());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < attributeCount());
 
     ElementAttributeData* attributeData = mutableAttributeData();
 
index a5e8566..e6971b7 100644 (file)
@@ -138,7 +138,7 @@ void ElementAttributeData::addAttribute(const Attribute& attribute)
 void ElementAttributeData::removeAttribute(size_t index)
 {
     ASSERT(isMutable());
-    ASSERT(index < length());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < length());
     mutableAttributeVector().remove(index);
 }
 
index dd0556e..68f06ba 100644 (file)
@@ -263,7 +263,7 @@ inline Attribute* ElementAttributeData::getAttributeItem(const QualifiedName& na
 
 inline const Attribute* ElementAttributeData::attributeItem(unsigned index) const
 {
-    ASSERT(index < length());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < length());
     if (m_isMutable)
         return &mutableAttributeVector().at(index);
     return &immutableAttributeArray()[index];
@@ -271,7 +271,7 @@ inline const Attribute* ElementAttributeData::attributeItem(unsigned index) cons
 
 inline Attribute* ElementAttributeData::attributeItem(unsigned index)
 {
-    ASSERT(index < length());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < length());
     return &mutableAttributeVector().at(index);
 }
 
index a3f65f2..53b588f 100644 (file)
@@ -51,7 +51,7 @@ namespace WebCore {
 
         bool isUnique() const { return m_keyString.isNull(); } 
         size_t size() const { return m_vector.size(); }
-        const AtomicString& operator[](size_t i) { ASSERT(i < size()); return m_vector[i]; }
+        const AtomicString& operator[](size_t i) { ASSERT_WITH_SECURITY_IMPLICATION(i < size()); return m_vector[i]; }
 
     private:
         explicit SpaceSplitStringData(const AtomicString&);
@@ -82,7 +82,7 @@ namespace WebCore {
 
         size_t size() const { return m_data ? m_data->size() : 0; }
         bool isNull() const { return !m_data; }
-        const AtomicString& operator[](size_t i) const { ASSERT(i < size()); return (*m_data)[i]; }
+        const AtomicString& operator[](size_t i) const { ASSERT_WITH_SECURITY_IMPLICATION(i < size()); return (*m_data)[i]; }
 
     private:
         void ensureUnique()
index 770ace5..b6b001b 100644 (file)
@@ -465,7 +465,7 @@ void TextIterator::advance()
 
 UChar TextIterator::characterAt(unsigned index) const
 {
-    ASSERT(index < static_cast<unsigned>(length()));
+    ASSERT_WITH_SECURITY_IMPLICATION(index < static_cast<unsigned>(length()));
     if (!(index < static_cast<unsigned>(length())))
         return 0;
 
index 749aa55..953fec6 100644 (file)
@@ -562,7 +562,7 @@ void HTMLFormElement::removeFormElement(FormAssociatedElement* e)
         if (m_associatedElements[index] == e)
             break;
     }
-    ASSERT(index < m_associatedElements.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < m_associatedElements.size());
     if (index < m_associatedElementsBeforeIndex)
         --m_associatedElementsBeforeIndex;
     if (index < m_associatedElementsAfterIndex)
index 189aaf0..bbdac3a 100644 (file)
@@ -48,7 +48,7 @@ bool HTMLSelectElement::platformHandleKeydownEvent(KeyboardEvent* event)
 
     int index = selectedIndex();
     ASSERT(index >= 0);
-    ASSERT(index < listItems().size());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < listItems().size());
     setSelectedIndex(index);
     event->setDefaultHandled();
     return true;
index 4f24b0c..8c29487 100644 (file)
@@ -218,7 +218,7 @@ namespace {
 
         UChar current()
         {
-            ASSERT(m_position < m_length);
+            ASSERT_WITH_SECURITY_IMPLICATION(m_position < m_length);
             return m_sourceString[m_position];
         }
 
index e7dd0da..c3b98fe 100644 (file)
@@ -97,7 +97,7 @@ void HTMLFormattingElementList::swapTo(Element* oldElement, PassRefPtr<HTMLStack
         return;
     }
     size_t index = bookmark.mark() - first();
-    ASSERT(index < size());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < size());
     m_entries.insert(index + 1, newItem);
     remove(oldElement);
 }
index fabc306..63e639e 100644 (file)
@@ -1258,7 +1258,7 @@ bool InspectorStyleSheet::styleSheetTextWithChangedStyle(CSSStyleDeclaration* st
     ASSERT(bodyStart <= bodyEnd);
 
     String text = m_parsedStyleSheet->text();
-    ASSERT(bodyEnd <= text.length()); // bodyEnd is exclusive
+    ASSERT_WITH_SECURITY_IMPLICATION(bodyEnd <= text.length()); // bodyEnd is exclusive
 
     text.replace(bodyStart, bodyEnd - bodyStart, newStyleText);
     *result = text;
index 059a650..b6ec4db 100644 (file)
@@ -121,7 +121,7 @@ void InspectorStyleTextEditor::insertProperty(unsigned index, const String& prop
 
 void InspectorStyleTextEditor::replaceProperty(unsigned index, const String& newText)
 {
-    ASSERT(index < m_allProperties->size());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < m_allProperties->size());
 
     const InspectorStyleProperty& property = m_allProperties->at(index);
     long propertyStart = property.sourceData.range.start;
index ada2617..a44e3e0 100644 (file)
@@ -789,7 +789,7 @@ InspectorArrayBase::InspectorArrayBase()
 
 PassRefPtr<InspectorValue> InspectorArrayBase::get(size_t index)
 {
-    ASSERT(index < m_data.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < m_data.size());
     return m_data[index];
 }
 
index 7768a09..7c1e861 100644 (file)
@@ -111,7 +111,7 @@ WindowFeatures::WindowFeatures(const String& features)
             i++;
         valueEnd = i;
 
-        ASSERT(i <= length);
+        ASSERT_WITH_SECURITY_IMPLICATION(i <= length);
 
         String keyString(buffer.substring(keyBegin, keyEnd - keyBegin));
         String valueString(buffer.substring(valueBegin, valueEnd - valueBegin));
index 229359d..0a6d873 100644 (file)
@@ -106,7 +106,7 @@ public:
     {
         // Note that although it is a size_t, m_size is now guaranteed to be
         // no greater than max unsigned. This guarantee is enforced in allocate().
-        ASSERT(i < size());
+        ASSERT_WITH_SECURITY_IMPLICATION(i < size());
         return data()[i];
     }
 
index 9618141..218813f 100644 (file)
@@ -121,7 +121,7 @@ void AudioFIFO::push(const AudioBus* sourceBus)
 
 void AudioFIFO::findWrapLengths(size_t index, size_t size, size_t& part1Length, size_t& part2Length)
 {
-    ASSERT(index < m_fifoLength && size <= m_fifoLength);
+    ASSERT_WITH_SECURITY_IMPLICATION(index < m_fifoLength && size <= m_fifoLength);
     if (index < m_fifoLength && size <= m_fifoLength) {
         if (index + size > m_fifoLength) {
             // Need to wrap. Figure out the length of each piece.
index 452bc30..97d935f 100644 (file)
@@ -78,13 +78,13 @@ public:
 
     GlyphData glyphDataForIndex(unsigned index) const
     {
-        ASSERT(index < size);
+        ASSERT_WITH_SECURITY_IMPLICATION(index < size);
         return GlyphData(m_glyphs[index], m_glyphFontData[index]);
     }
 
     Glyph glyphAt(unsigned index) const
     {
-        ASSERT(index < size);
+        ASSERT_WITH_SECURITY_IMPLICATION(index < size);
         return m_glyphs[index];
     }
 
@@ -100,7 +100,7 @@ public:
 
     void setGlyphDataForIndex(unsigned index, Glyph g, const SimpleFontData* f)
     {
-        ASSERT(index < size);
+        ASSERT_WITH_SECURITY_IMPLICATION(index < size);
         m_glyphs[index] = g;
         m_glyphFontData[index] = f;
     }
index c64f098..895a1e9 100644 (file)
@@ -155,9 +155,9 @@ public:
         return result;
     }
 
-    UChar operator[](unsigned i) const { ASSERT(i < m_len); return is8Bit() ? m_data.characters8[i] :m_data.characters16[i]; }
-    const LChar* data8(unsigned i) const { ASSERT(i < m_len); ASSERT(is8Bit()); return &m_data.characters8[i]; }
-    const UChar* data16(unsigned i) const { ASSERT(i < m_len); ASSERT(!is8Bit()); return &m_data.characters16[i]; }
+    UChar operator[](unsigned i) const { ASSERT_WITH_SECURITY_IMPLICATION(i < m_len); return is8Bit() ? m_data.characters8[i] :m_data.characters16[i]; }
+    const LChar* data8(unsigned i) const { ASSERT_WITH_SECURITY_IMPLICATION(i < m_len); ASSERT(is8Bit()); return &m_data.characters8[i]; }
+    const UChar* data16(unsigned i) const { ASSERT_WITH_SECURITY_IMPLICATION(i < m_len); ASSERT(!is8Bit()); return &m_data.characters16[i]; }
 
     const LChar* characters8() const { ASSERT(is8Bit()); return m_data.characters8; }
     const UChar* characters16() const { ASSERT(!is8Bit()); return m_data.characters16; }
index 06d13f1..af706e3 100644 (file)
@@ -193,8 +193,8 @@ HarfBuzzShaper::~HarfBuzzShaper()
 
 void HarfBuzzShaper::setDrawRange(int from, int to)
 {
-    ASSERT(from >= 0);
-    ASSERT(to <= m_run.length());
+    ASSERT_WITH_SECURITY_IMPLICATION(from >= 0);
+    ASSERT_WITH_SECURITY_IMPLICATION(to <= m_run.length());
     m_fromIndex = from;
     m_toIndex = to;
 }
index 64d94c9..2a29e22 100644 (file)
@@ -84,7 +84,7 @@ void TiledImageOpenVG::setTile(int xIndex, int yIndex, VGImage image)
 {
     ASSERT(xIndex < m_numColumns);
     int i = (yIndex * m_numColumns) + xIndex;
-    ASSERT(i < m_tiles.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(i < m_tiles.size());
     m_tiles.at(i) = image;
 }
 
@@ -113,7 +113,7 @@ VGImage TiledImageOpenVG::tile(int xIndex, int yIndex) const
 {
     ASSERT(xIndex < m_numColumns);
     int i = (yIndex * m_numColumns) + xIndex;
-    ASSERT(i < m_tiles.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(i < m_tiles.size());
     return m_tiles.at(i);
 }
 
index a3e2952..44fd8ac 100644 (file)
@@ -203,7 +203,7 @@ bool ICOImageDecoder::decodeDirectory()
 
 bool ICOImageDecoder::decodeAtIndex(size_t index)
 {
-    ASSERT(index < m_dirEntries.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < m_dirEntries.size());
     const IconDirectoryEntry& dirEntry = m_dirEntries[index];
     const ImageType imageType = imageTypeAtIndex(index);
     if (imageType == Unknown)
@@ -332,7 +332,7 @@ ICOImageDecoder::ImageType ICOImageDecoder::imageTypeAtIndex(size_t index)
 {
     // Check if this entry is a BMP or a PNG; we need 4 bytes to check the magic
     // number.
-    ASSERT(index < m_dirEntries.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < m_dirEntries.size());
     const uint32_t imageOffset = m_dirEntries[index].m_imageOffset;
     if ((imageOffset > m_data->size()) || ((m_data->size() - imageOffset) < 4))
         return Unknown;
index edb9832..47eb3ae 100644 (file)
@@ -41,7 +41,7 @@ static const char crlfLineEnding[] = "\r\n";
 
 static size_t lengthOfLineEndingAtIndex(const char* input, size_t inputLength, size_t index)
 {
-    ASSERT(index < inputLength);
+    ASSERT_WITH_SECURITY_IMPLICATION(index < inputLength);
     if (input[index] == '\n')
         return 1; // Single LF.
 
index 9edb83c..561e942 100644 (file)
@@ -227,7 +227,7 @@ String SegmentedString::toString() const
 
 void SegmentedString::advance(unsigned count, UChar* consumedCharacters)
 {
-    ASSERT(count <= length());
+    ASSERT_WITH_SECURITY_IMPLICATION(count <= length());
     for (unsigned i = 0; i < count; ++i) {
         consumedCharacters[i] = currentChar();
         advance();
index 650a15d..912c8d6 100644 (file)
@@ -60,7 +60,7 @@ static void doDrawTextAtPoint(GraphicsContext& context, const String& text, cons
         context.drawBidiText(font, run, point);
 
     if (underlinedIndex >= 0) {
-        ASSERT(underlinedIndex < static_cast<int>(text.length()));
+        ASSERT_WITH_SECURITY_IMPLICATION(underlinedIndex < static_cast<int>(text.length()));
 
         int beforeWidth;
         if (underlinedIndex > 0) {
index cfe3f35..50e243a 100644 (file)
@@ -681,7 +681,7 @@ void InlineTextBox::paint(PaintInfo& paintInfo, const LayoutPoint& paintOffset,
     if (!combinedText) {
         string = textRenderer()->text();
         if (static_cast<unsigned>(length) != string.length() || m_start) {
-            ASSERT(static_cast<unsigned>(m_start + length) <= string.length());
+            ASSERT_WITH_SECURITY_IMPLICATION(static_cast<unsigned>(m_start + length) <= string.length());
             string = string.substringSharingImpl(m_start, length);
         }
         maximumLength = textRenderer()->textLength() - m_start;
@@ -865,7 +865,7 @@ void InlineTextBox::paintSelection(GraphicsContext* context, const FloatPoint& b
     String string = textRenderer()->text();
 
     if (string.length() != static_cast<unsigned>(length) || m_start) {
-        ASSERT(static_cast<unsigned>(m_start + length) <= string.length());
+        ASSERT_WITH_SECURITY_IMPLICATION(static_cast<unsigned>(m_start + length) <= string.length());
         string = string.substringSharingImpl(m_start, length);
     }
 
index 05d2846..617fd2b 100644 (file)
@@ -1,3 +1,15 @@
+2013-02-04  Abhishek Arya  <inferno@chromium.org>
+
+        Add ASSERT_WITH_SECURITY_IMPLICATION to detect out of bounds access
+        https://bugs.webkit.org/show_bug.cgi?id=108668
+
+        Reviewed by Eric Seidel.
+
+        * src/ContextFeaturesClientImpl.cpp:
+        (WebKit::ContextFeaturesCache::entryFor):
+        * src/WebFrameImpl.cpp:
+        (WebKit::WebFrameImpl::selectFindMatch):
+
 2013-02-04  Mark Pilgrim  <pilgrim@chromium.org>
 
         [Chromium] Move IDBFactoryBackendInterface to WebCore
index 7c768dc..3e574b9 100644 (file)
@@ -83,7 +83,7 @@ public:
     Entry& entryFor(ContextFeatures::FeatureType type)
     {
         size_t index = static_cast<size_t>(type);
-        ASSERT(index < ContextFeatures::FeatureTypeSize);
+        ASSERT_WITH_SECURITY_IMPLICATION(index < ContextFeatures::FeatureTypeSize);
         return m_entries[index];
     }
 
index 117051d..e5c5d3b 100644 (file)
@@ -2036,7 +2036,7 @@ int WebFrameImpl::nearestFindMatch(const FloatPoint& point, float& distanceSquar
 
 int WebFrameImpl::selectFindMatch(unsigned index, WebRect* selectionRect)
 {
-    ASSERT(index < m_findMatchesCache.size());
+    ASSERT_WITH_SECURITY_IMPLICATION(index < m_findMatchesCache.size());
 
     RefPtr<Range> range = m_findMatchesCache[index].m_range;
     if (!range->boundaryPointsValid() || !range->startContainer()->inDocument())
index d7ae89d..9f89968 100644 (file)
@@ -1,3 +1,13 @@
+2013-02-04  Abhishek Arya  <inferno@chromium.org>
+
+        Add ASSERT_WITH_SECURITY_IMPLICATION to detect out of bounds access
+        https://bugs.webkit.org/show_bug.cgi?id=108668
+
+        Reviewed by Eric Seidel.
+
+        * Shared/mac/SandboxExtensionMac.mm:
+        (WebKit::SandboxExtension::HandleArray::operator[]):
+
 2013-02-04  Anders Carlsson  <andersca@apple.com>
 
         Change didReceiveMessageOnConnectionWorkQueue semantics
index 8f3a620..a37ac93 100644 (file)
@@ -111,13 +111,13 @@ void SandboxExtension::HandleArray::allocate(size_t size)
 
 SandboxExtension::Handle& SandboxExtension::HandleArray::operator[](size_t i)
 {
-    ASSERT(i < m_size);    
+    ASSERT_WITH_SECURITY_IMPLICATION(i < m_size); 
     return m_data[i];
 }
 
 const SandboxExtension::Handle& SandboxExtension::HandleArray::operator[](size_t i) const
 {
-    ASSERT(i < m_size);
+    ASSERT_WITH_SECURITY_IMPLICATION(i < m_size);
     return m_data[i];
 }