Replace bounds checking ASSERTs with ASSERT_WITH_SECURITY_IMPLICATION
authorakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 12 Oct 2013 18:03:39 +0000 (18:03 +0000)
committerakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 12 Oct 2013 18:03:39 +0000 (18:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=120893

Patch by Jessica Pease <jessica_n_pease@apple.com> on 2013-09-06
Reviewed by Darin Adler.

Source/WebCore:

* Modules/indexeddb/IDBKeyPath.cpp:
(WebCore::IDBKeyPathLexer::lex):
* Modules/indexeddb/IDBLevelDBCoding.cpp:
(WebCore::IDBLevelDBCoding::compareEncodedIDBKeys):
* bindings/js/JSCSSStyleDeclarationCustom.cpp:
(WebCore::cssPropertyIDForJSCSSPropertyName):
* css/CSSFontSelector.cpp:
(WebCore::compareFontFaces):
* css/CSSParser.cpp:
(WebCore::CSSParser::rewriteSpecifiers):
* html/HTMLCollection.cpp:
(WebCore::traverseMatchingElementsForwardToOffset):
(WebCore::LiveNodeListBase::traverseChildNodeListForwardToOffset):
(WebCore::HTMLCollection::traverseForwardToOffset):
* html/HTMLFontElement.cpp:
(WebCore::parseFontSize):
* html/parser/HTMLParserIdioms.cpp:
(WebCore::parseHTMLIntegerInternal):
(WebCore::parseHTMLNonNegativeIntegerInternal):
* inspector/InspectorStyleSheet.h:
(WebCore::InspectorStyleProperty::setRawTextFromStyleDeclaration):
* platform/graphics/StringTruncator.cpp:
(WebCore::centerTruncateToBuffer):
(WebCore::rightTruncateToBuffer):
(WebCore::truncateString):
* platform/graphics/TextRun.h:
(WebCore::TextRun::subRun):
* platform/text/BidiRunList.h:
(WebCore::::reverseRuns):
* rendering/svg/SVGInlineTextBox.cpp:
(WebCore::SVGInlineTextBox::selectionRectForTextFragment):
(WebCore::SVGInlineTextBox::mapStartEndPositionsIntoFragmentCoordinates):
* rendering/svg/SVGTextChunkBuilder.cpp:
(WebCore::SVGTextChunkBuilder::buildTextChunks):
* rendering/svg/SVGTextLayoutEngine.cpp:
(WebCore::SVGTextLayoutEngine::currentLogicalCharacterMetrics):
* rendering/svg/SVGTextQuery.cpp:
(WebCore::SVGTextQuery::mapStartEndPositionsIntoFragmentCoordinates):
* svg/SVGAnimationElement.cpp:
(WebCore::SVGAnimationElement::currentValuesForValuesAnimation):
* svg/SVGPathByteStreamSource.h:
(WebCore::SVGPathByteStreamSource::readType):

Source/WebKit2:

* Shared/Plugins/PluginQuirks.h:
(WebKit::PluginQuirks::add):

Source/WTF:

* wtf/BumpPointerAllocator.h:
(WTF::BumpPointerPool::ensureCapacity):
(WTF::BumpPointerPool::alloc):
(WTF::BumpPointerPool::ensureCapacityCrossPool):
* wtf/FastMalloc.cpp:
(WTF::TCMalloc_ThreadCache::CreateCacheIfNecessary):
* wtf/StringPrintStream.cpp:
(WTF::StringPrintStream::increaseSize):
* wtf/dtoa/utils.h:
(WTF::double_conversion::BufferReference::SubBufferReference):
* wtf/text/WTFString.cpp:
(WTF::String::fromUTF8):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@157341 268f45cc-cd09-0410-ab3c-d52691b4dbfc

27 files changed:
Source/WTF/ChangeLog
Source/WTF/wtf/BumpPointerAllocator.h
Source/WTF/wtf/FastMalloc.cpp
Source/WTF/wtf/StringPrintStream.cpp
Source/WTF/wtf/dtoa/utils.h
Source/WTF/wtf/text/WTFString.cpp
Source/WebCore/ChangeLog
Source/WebCore/Modules/indexeddb/IDBKeyPath.cpp
Source/WebCore/Modules/indexeddb/leveldb/IDBLevelDBCoding.cpp
Source/WebCore/bindings/js/JSCSSStyleDeclarationCustom.cpp
Source/WebCore/css/CSSFontSelector.cpp
Source/WebCore/css/CSSParser.cpp
Source/WebCore/html/HTMLCollection.cpp
Source/WebCore/html/HTMLFontElement.cpp
Source/WebCore/html/parser/HTMLParserIdioms.cpp
Source/WebCore/inspector/InspectorStyleSheet.h
Source/WebCore/platform/graphics/StringTruncator.cpp
Source/WebCore/platform/graphics/TextRun.h
Source/WebCore/platform/text/BidiRunList.h
Source/WebCore/rendering/svg/SVGInlineTextBox.cpp
Source/WebCore/rendering/svg/SVGTextChunkBuilder.cpp
Source/WebCore/rendering/svg/SVGTextLayoutEngine.cpp
Source/WebCore/rendering/svg/SVGTextQuery.cpp
Source/WebCore/svg/SVGAnimationElement.cpp
Source/WebCore/svg/SVGPathByteStreamSource.h
Source/WebKit2/ChangeLog
Source/WebKit2/Shared/Plugins/PluginQuirks.h

index deee6bd..7e829fe 100644 (file)
@@ -1,3 +1,23 @@
+2013-09-06  Jessica Pease  <jessica_n_pease@apple.com>
+
+        Replace bounds checking ASSERTs with ASSERT_WITH_SECURITY_IMPLICATION
+        https://bugs.webkit.org/show_bug.cgi?id=120893
+
+        Reviewed by Darin Adler.
+
+        * wtf/BumpPointerAllocator.h:
+        (WTF::BumpPointerPool::ensureCapacity):
+        (WTF::BumpPointerPool::alloc):
+        (WTF::BumpPointerPool::ensureCapacityCrossPool):
+        * wtf/FastMalloc.cpp:
+        (WTF::TCMalloc_ThreadCache::CreateCacheIfNecessary):
+        * wtf/StringPrintStream.cpp:
+        (WTF::StringPrintStream::increaseSize):
+        * wtf/dtoa/utils.h:
+        (WTF::double_conversion::BufferReference::SubBufferReference):
+        * wtf/text/WTFString.cpp:
+        (WTF::String::fromUTF8):
+
 2013-10-11  Darin Adler  <darin@apple.com>
 
         Change most call sites to call ICU directly instead of through WTF::Unicode
index 3b2cfd9..02472b0 100644 (file)
@@ -47,7 +47,7 @@ public:
     BumpPointerPool* ensureCapacity(size_t size)
     {
         void* allocationEnd = static_cast<char*>(m_current) + size;
-        ASSERT(allocationEnd > m_current); // check for overflow
+        ASSERT_WITH_SECURITY_IMPLICATION(allocationEnd > m_current); // check for overflow
         if (allocationEnd <= static_cast<void*>(this))
             return this;
         return ensureCapacityCrossPool(this, size);
@@ -59,7 +59,7 @@ public:
     {
         void* current = m_current;
         void* allocationEnd = static_cast<char*>(current) + size;
-        ASSERT(allocationEnd > current); // check for overflow
+        ASSERT_WITH_SECURITY_IMPLICATION(allocationEnd > current); // check for overflow
         ASSERT(allocationEnd <= static_cast<void*>(this));
         m_current = allocationEnd;
         return current;
@@ -163,7 +163,7 @@ private:
             // 
             void* current = pool->m_current;
             void* allocationEnd = static_cast<char*>(current) + size;
-            ASSERT(allocationEnd > current); // check for overflow
+            ASSERT_WITH_SECURITY_IMPLICATION(allocationEnd > current); // check for overflow
             if (allocationEnd <= static_cast<void*>(pool))
                 return pool;
         }
index 5b29555..54bd1d1 100644 (file)
@@ -3799,7 +3799,7 @@ static void** DumpStackTraces() {
   SpinLockHolder h(&pageheap_lock);
   int used_slots = 0;
   for (Span* s = sampled_objects.next; s != &sampled_objects; s = s->next) {
-    ASSERT(used_slots < needed_slots);  // Need to leave room for terminator
+    ASSERT_WITH_SECURITY_IMPLICATION(used_slots < needed_slots); // Need to leave room for terminator
     StackTrace* stack = reinterpret_cast<StackTrace*>(s->objects);
     if (used_slots + 3 + stack->depth >= needed_slots) {
       // No more room
@@ -4163,7 +4163,7 @@ static void* do_memalign(size_t align, size_t size) {
   while ((((span->start+skip) << kPageShift) & (align - 1)) != 0) {
     skip++;
   }
-  ASSERT(skip < alloc);
+  ASSERT_WITH_SECURITY_IMPLICATION(skip < alloc);
   if (skip > 0) {
     Span* rest = pageheap->Split(span, skip);
     pageheap->Delete(span);
index 09f447a..070af05 100644 (file)
@@ -106,7 +106,7 @@ String StringPrintStream::toString()
 
 void StringPrintStream::increaseSize(size_t newSize)
 {
-    ASSERT(newSize > m_size);
+    ASSERT_WITH_SECURITY_IMPLICATION(newSize > m_size);
     ASSERT(newSize > sizeof(m_inlineBuffer));
     
     // Use exponential resizing to reduce thrashing.
index 268a8c5..4046e15 100644 (file)
@@ -153,7 +153,7 @@ namespace double_conversion {
         // spanning from and including 'from', to but not including 'to'.
         BufferReference<T> SubBufferReference(int from, int to) {
             ASSERT(to <= length_);
-            ASSERT(from < to);
+            ASSERT_WITH_SECURITY_IMPLICATION(from < to);
             ASSERT(0 <= from);
             return BufferReference<T>(start() + from, to - from);
         }
index 5bf33ce..d78c7b6 100644 (file)
@@ -849,7 +849,7 @@ String String::fromUTF8(const LChar* stringStart, size_t length)
         return String();
 
     unsigned utf16Length = bufferCurrent - bufferStart;
-    ASSERT(utf16Length < length);
+    ASSERT_WITH_SECURITY_IMPLICATION(utf16Length < length);
     return StringImpl::create(bufferStart, utf16Length);
 }
 
index de47b83..02a02e0 100644 (file)
@@ -1,3 +1,53 @@
+2013-09-06  Jessica Pease  <jessica_n_pease@apple.com>
+
+        Replace bounds checking ASSERTs with ASSERT_WITH_SECURITY_IMPLICATION
+        https://bugs.webkit.org/show_bug.cgi?id=120893
+
+        Reviewed by Darin Adler.
+
+        * Modules/indexeddb/IDBKeyPath.cpp:
+        (WebCore::IDBKeyPathLexer::lex):
+        * Modules/indexeddb/IDBLevelDBCoding.cpp:
+        (WebCore::IDBLevelDBCoding::compareEncodedIDBKeys):
+        * bindings/js/JSCSSStyleDeclarationCustom.cpp:
+        (WebCore::cssPropertyIDForJSCSSPropertyName):
+        * css/CSSFontSelector.cpp:
+        (WebCore::compareFontFaces):
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::rewriteSpecifiers):
+        * html/HTMLCollection.cpp:
+        (WebCore::traverseMatchingElementsForwardToOffset):
+        (WebCore::LiveNodeListBase::traverseChildNodeListForwardToOffset):
+        (WebCore::HTMLCollection::traverseForwardToOffset):
+        * html/HTMLFontElement.cpp:
+        (WebCore::parseFontSize):
+        * html/parser/HTMLParserIdioms.cpp:
+        (WebCore::parseHTMLIntegerInternal):
+        (WebCore::parseHTMLNonNegativeIntegerInternal):
+        * inspector/InspectorStyleSheet.h:
+        (WebCore::InspectorStyleProperty::setRawTextFromStyleDeclaration):
+        * platform/graphics/StringTruncator.cpp:
+        (WebCore::centerTruncateToBuffer):
+        (WebCore::rightTruncateToBuffer):
+        (WebCore::truncateString):
+        * platform/graphics/TextRun.h:
+        (WebCore::TextRun::subRun):
+        * platform/text/BidiRunList.h:
+        (WebCore::::reverseRuns):
+        * rendering/svg/SVGInlineTextBox.cpp:
+        (WebCore::SVGInlineTextBox::selectionRectForTextFragment):
+        (WebCore::SVGInlineTextBox::mapStartEndPositionsIntoFragmentCoordinates):
+        * rendering/svg/SVGTextChunkBuilder.cpp:
+        (WebCore::SVGTextChunkBuilder::buildTextChunks):
+        * rendering/svg/SVGTextLayoutEngine.cpp:
+        (WebCore::SVGTextLayoutEngine::currentLogicalCharacterMetrics):
+        * rendering/svg/SVGTextQuery.cpp:
+        (WebCore::SVGTextQuery::mapStartEndPositionsIntoFragmentCoordinates):
+        * svg/SVGAnimationElement.cpp:
+        (WebCore::SVGAnimationElement::currentValuesForValuesAnimation):
+        * svg/SVGPathByteStreamSource.h:
+        (WebCore::SVGPathByteStreamSource::readType):
+
 2013-10-12  Antti Koivisto  <antti@apple.com>
 
         Factor line box code from RenderText to a class
index e45aea4..7d8c8d2 100644 (file)
@@ -75,7 +75,7 @@ IDBKeyPathLexer::TokenType IDBKeyPathLexer::lex(String& element)
 {
     if (m_ptr >= m_end)
         return TokenEnd;
-    ASSERT(m_ptr < m_end);
+    ASSERT_WITH_SECURITY_IMPLICATION(m_ptr < m_end);
 
     if (*m_ptr == '.') {
         ++m_ptr;
index 008cb07..46379c5 100644 (file)
@@ -584,8 +584,8 @@ static int compareEncodedIDBKeys(const char*& ptrA, const char* limitA, const ch
 {
     ok = true;
     ASSERT(&ptrA != &ptrB);
-    ASSERT(ptrA < limitA);
-    ASSERT(ptrB < limitB);
+    ASSERT_WITH_SECURITY_IMPLICATION(ptrA < limitA);
+    ASSERT_WITH_SECURITY_IMPLICATION(ptrB < limitB);
     unsigned char typeA = *ptrA++;
     unsigned char typeB = *ptrB++;
 
index ff09ccc..66488bf 100644 (file)
@@ -260,9 +260,9 @@ static CSSPropertyInfo cssPropertyIDForJSCSSPropertyName(PropertyName propertyNa
             *bufferPtr++ = toASCIILower(c);
         } else
             *bufferPtr++ = c;
-        ASSERT(bufferPtr < bufferEnd);
+        ASSERT_WITH_SECURITY_IMPLICATION(bufferPtr < bufferEnd);
     }
-    ASSERT(bufferPtr < bufferEnd);
+    ASSERT_WITH_SECURITY_IMPLICATION(bufferPtr < bufferEnd);
     *bufferPtr = '\0';
 
     unsigned outputLength = bufferPtr - buffer;
index cb36b95..25934da 100644 (file)
@@ -466,7 +466,7 @@ static inline bool compareFontFaces(CSSFontFace* first, CSSFontFace* second)
         ruleSetIndex++;
     }
 
-    ASSERT(ruleSetIndex < fallbackRuleSets);
+    ASSERT_WITH_SECURITY_IMPLICATION(ruleSetIndex < fallbackRuleSets);
     const FontTraitsMask* weightFallbackRule = weightFallbackRuleSets[ruleSetIndex];
     for (unsigned i = 0; i < rulesPerSet; ++i) {
         if (secondTraitsMask & weightFallbackRule[i])
index d1b972a..7f6b148 100644 (file)
@@ -12164,7 +12164,7 @@ void CSSParser::markPropertyEnd(bool isImportantFound, bool isPropertyParsed)
         // This stuff is only executed when the style data retrieval is requested by client.
         const unsigned start = m_propertyRange.start;
         const unsigned end = m_propertyRange.end;
-        ASSERT(start < end);
+        ASSERT_WITH_SECURITY_IMPLICATION(start < end);
         String propertyString;
         if (is8BitSource())
             propertyString = String(m_dataStart8.get() + start, end - start).stripWhiteSpace();
index 614b5df..130314c 100644 (file)
@@ -324,7 +324,7 @@ inline Element* nextMatchingElement(const NodeListType* nodeList, Element* curre
 template <class NodeListType>
 inline Element* traverseMatchingElementsForwardToOffset(const NodeListType* nodeList, unsigned offset, Element* currentElement, unsigned& currentOffset, ContainerNode* root)
 {
-    ASSERT(currentOffset < offset);
+    ASSERT_WITH_SECURITY_IMPLICATION(currentOffset < offset);
     while ((currentElement = nextMatchingElement(nodeList, currentElement, root))) {
         if (++currentOffset == offset)
             return currentElement;
@@ -336,7 +336,7 @@ inline Element* traverseMatchingElementsForwardToOffset(const NodeListType* node
 inline Node* LiveNodeListBase::traverseChildNodeListForwardToOffset(unsigned offset, Node* currentNode, unsigned& currentOffset) const
 {
     ASSERT(type() == ChildNodeListType);
-    ASSERT(currentOffset < offset);
+    ASSERT_WITH_SECURITY_IMPLICATION(currentOffset < offset);
     while ((currentNode = currentNode->nextSibling())) {
         if (++currentOffset == offset)
             return currentNode;
@@ -548,7 +548,7 @@ inline Element* HTMLCollection::traverseNextElement(unsigned& offsetInArray, Ele
 
 inline Element* HTMLCollection::traverseForwardToOffset(unsigned offset, Element* currentElement, unsigned& currentOffset, unsigned& offsetInArray, ContainerNode* root) const
 {
-    ASSERT(currentOffset < offset);
+    ASSERT_WITH_SECURITY_IMPLICATION(currentOffset < offset);
     if (overridesItemAfter()) {
         offsetInArray = m_cachedElementsArrayOffset;
         while ((currentElement = virtualItemAfter(offsetInArray, currentElement))) {
index 374b9e6..73a1dd8 100644 (file)
@@ -71,7 +71,7 @@ static bool parseFontSize(const CharacterType* characters, unsigned length, int&
     // Step 4
     if (position == end)
         return false;
-    ASSERT(position < end);
+    ASSERT_WITH_SECURITY_IMPLICATION(position < end);
 
     // Step 5
     enum {
index c3fb0c3..9b322e9 100644 (file)
@@ -169,7 +169,7 @@ static bool parseHTMLIntegerInternal(const CharacterType* position, const Charac
     // Step 5
     if (position == end)
         return false;
-    ASSERT(position < end);
+    ASSERT_WITH_SECURITY_IMPLICATION(position < end);
 
     // Step 6
     if (*position == '-') {
@@ -179,7 +179,7 @@ static bool parseHTMLIntegerInternal(const CharacterType* position, const Charac
         ++position;
     if (position == end)
         return false;
-    ASSERT(position < end);
+    ASSERT_WITH_SECURITY_IMPLICATION(position < end);
 
     // Step 7
     if (!isASCIIDigit(*position))
@@ -230,7 +230,7 @@ static bool parseHTMLNonNegativeIntegerInternal(const CharacterType* position, c
     // Step 4
     if (position == end)
         return false;
-    ASSERT(position < end);
+    ASSERT_WITH_SECURITY_IMPLICATION(position < end);
 
     // Step 5
     if (*position == '+')
@@ -239,7 +239,7 @@ static bool parseHTMLNonNegativeIntegerInternal(const CharacterType* position, c
     // Step 6
     if (position == end)
         return false;
-    ASSERT(position < end);
+    ASSERT_WITH_SECURITY_IMPLICATION(position < end);
 
     // Step 7
     if (!isASCIIDigit(*position))
index 18afde3..dfcc6d3 100644 (file)
@@ -121,7 +121,7 @@ struct InspectorStyleProperty {
     {
         unsigned start = sourceData.range.start;
         unsigned end = sourceData.range.end;
-        ASSERT(start < end);
+        ASSERT_WITH_SECURITY_IMPLICATION(start < end);
         ASSERT(end <= styleDeclaration.length());
         rawText = styleDeclaration.substring(start, end - start);
     }
index 310d554..a72ae4b 100644 (file)
@@ -59,8 +59,8 @@ static inline int boundedTextBreakFollowing(TextBreakIterator* it, int offset, i
 
 static unsigned centerTruncateToBuffer(const String& string, unsigned length, unsigned keepCount, UChar* buffer)
 {
-    ASSERT(keepCount < length);
-    ASSERT(keepCount < STRING_BUFFER_SIZE);
+    ASSERT_WITH_SECURITY_IMPLICATION(keepCount < length);
+    ASSERT_WITH_SECURITY_IMPLICATION(keepCount < STRING_BUFFER_SIZE);
     
     unsigned omitStart = (keepCount + 1) / 2;
     NonSharedCharacterBreakIterator it(string.characters(), length);
@@ -79,8 +79,8 @@ static unsigned centerTruncateToBuffer(const String& string, unsigned length, un
 
 static unsigned rightTruncateToBuffer(const String& string, unsigned length, unsigned keepCount, UChar* buffer)
 {
-    ASSERT(keepCount < length);
-    ASSERT(keepCount < STRING_BUFFER_SIZE);
+    ASSERT_WITH_SECURITY_IMPLICATION(keepCount < length);
+    ASSERT_WITH_SECURITY_IMPLICATION(keepCount < STRING_BUFFER_SIZE);
     
     NonSharedCharacterBreakIterator it(string.characters(), length);
     unsigned keepLength = textBreakAtOrPreceding(it, keepCount);
@@ -139,8 +139,8 @@ static String truncateString(const String& string, float maxWidth, const Font& f
     }
     
     while (keepCountForLargestKnownToFit + 1 < keepCountForSmallestKnownToNotFit) {
-        ASSERT(widthForLargestKnownToFit <= maxWidth);
-        ASSERT(widthForSmallestKnownToNotFit > maxWidth);
+        ASSERT_WITH_SECURITY_IMPLICATION(widthForLargestKnownToFit <= maxWidth);
+        ASSERT_WITH_SECURITY_IMPLICATION(widthForSmallestKnownToNotFit > maxWidth);
 
         float ratio = (keepCountForSmallestKnownToNotFit - keepCountForLargestKnownToFit)
             / (widthForSmallestKnownToNotFit - widthForLargestKnownToFit);
@@ -152,10 +152,10 @@ static String truncateString(const String& string, float maxWidth, const Font& f
             keepCount = keepCountForSmallestKnownToNotFit - 1;
         }
         
-        ASSERT(keepCount < length);
+        ASSERT_WITH_SECURITY_IMPLICATION(keepCount < length);
         ASSERT(keepCount > 0);
-        ASSERT(keepCount < keepCountForSmallestKnownToNotFit);
-        ASSERT(keepCount > keepCountForLargestKnownToFit);
+        ASSERT_WITH_SECURITY_IMPLICATION(keepCount < keepCountForSmallestKnownToNotFit);
+        ASSERT_WITH_SECURITY_IMPLICATION(keepCount > keepCountForLargestKnownToFit);
         
         truncatedLength = truncateToBuffer(string, length, keepCount, stringBuffer);
 
index 2a194cc..0406c0e 100644 (file)
@@ -139,7 +139,7 @@ public:
 
     TextRun subRun(unsigned startOffset, unsigned length) const
     {
-        ASSERT(startOffset < m_len);
+        ASSERT_WITH_SECURITY_IMPLICATION(startOffset < m_len);
 
         TextRun result = *this;
 
index d6db7ee..afe069a 100644 (file)
@@ -204,7 +204,7 @@ void BidiRunList<Run>::reverseRuns(unsigned start, unsigned end)
     if (start >= end)
         return;
 
-    ASSERT(end < m_runCount);
+    ASSERT_WITH_SECURITY_IMPLICATION(end < m_runCount);
 
     // Get the item before the start of the runs to reverse and put it in
     // |beforeStart|. |curr| should point to the first run to reverse.
index d84c141..62fdd4e 100644 (file)
@@ -108,7 +108,7 @@ float SVGInlineTextBox::positionForOffset(int) const
 
 FloatRect SVGInlineTextBox::selectionRectForTextFragment(const SVGTextFragment& fragment, int startPosition, int endPosition, RenderStyle* style)
 {
-    ASSERT(startPosition < endPosition);
+    ASSERT_WITH_SECURITY_IMPLICATION(startPosition < endPosition);
     ASSERT(style);
 
     FontCachePurgePreventer fontCachePurgePreventer;
@@ -454,7 +454,7 @@ bool SVGInlineTextBox::mapStartEndPositionsIntoFragmentCoordinates(const SVGText
         endPosition -= offset;
     }
 
-    ASSERT(startPosition < endPosition);
+    ASSERT_WITH_SECURITY_IMPLICATION(startPosition < endPosition);
     return true;
 }
 
index da60284..645f1d3 100644 (file)
@@ -62,7 +62,7 @@ void SVGTextChunkBuilder::buildTextChunks(Vector<SVGInlineTextBox*>& lineLayoutB
             lastChunkStartPosition = boxPosition;
             foundStart = true;
         } else {
-            ASSERT(boxPosition > lastChunkStartPosition);
+            ASSERT_WITH_SECURITY_IMPLICATION(boxPosition > lastChunkStartPosition);
             addTextChunk(lineLayoutBoxes, lastChunkStartPosition, boxPosition - lastChunkStartPosition);
             lastChunkStartPosition = boxPosition;
         }
index e8f021b..9467c46 100644 (file)
@@ -367,7 +367,7 @@ bool SVGTextLayoutEngine::currentLogicalCharacterMetrics(SVGTextLayoutAttributes
         }
 
         ASSERT(textMetricsSize);
-        ASSERT(m_logicalMetricsListOffset < textMetricsSize);
+        ASSERT_WITH_SECURITY_IMPLICATION(m_logicalMetricsListOffset < textMetricsSize);
         logicalMetrics = textMetricsValues->at(m_logicalMetricsListOffset);
         if (logicalMetrics.isEmpty() || (!logicalMetrics.width() && !logicalMetrics.height())) {
             advanceToNextLogicalCharacter(logicalMetrics);
index 27df70a..8e0249f 100644 (file)
@@ -151,7 +151,7 @@ bool SVGTextQuery::mapStartEndPositionsIntoFragmentCoordinates(Data* queryData,
     if (!queryData->textBox->mapStartEndPositionsIntoFragmentCoordinates(fragment, startPosition, endPosition))
         return false;
 
-    ASSERT(startPosition < endPosition);
+    ASSERT_WITH_SECURITY_IMPLICATION(startPosition < endPosition);
     return true;
 }
 
index 890f979..154057a 100644 (file)
@@ -537,7 +537,7 @@ void SVGAnimationElement::currentValuesForValuesAnimation(float percent, float&
         --index;
     from = m_values[index];
     to = m_values[index + 1];
-    ASSERT(toPercent > fromPercent);
+    ASSERT_WITH_SECURITY_IMPLICATION(toPercent > fromPercent);
     effectivePercent = (percent - fromPercent) / (toPercent - fromPercent);
 
     if (calcMode == CalcModeSpline) {
index 26373eb..8927b75 100644 (file)
@@ -63,7 +63,7 @@ private:
         size_t typeSize = sizeof(ByteType);
 
         for (size_t i = 0; i < typeSize; ++i) {
-            ASSERT(m_streamCurrent < m_streamEnd);
+            ASSERT_WITH_SECURITY_IMPLICATION(m_streamCurrent < m_streamEnd);
             data.bytes[i] = *m_streamCurrent;
             ++m_streamCurrent;
         }
index 7b6392c..e80fbf5 100644 (file)
@@ -1,3 +1,13 @@
+2013-09-06  Jessica Pease  <jessica_n_pease@apple.com>
+
+        Replace bounds checking ASSERTs with ASSERT_WITH_SECURITY_IMPLICATION
+        https://bugs.webkit.org/show_bug.cgi?id=120893
+
+        Reviewed by Darin Adler.
+
+        * Shared/Plugins/PluginQuirks.h:
+        (WebKit::PluginQuirks::add):
+
 2013-10-12  Darin Adler  <darin@apple.com>
 
         Use unique_ptr instead of delete in a few places
index 3205c15..18149fe 100644 (file)
@@ -113,7 +113,7 @@ public:
     void add(PluginQuirk quirk)
     {
         ASSERT(quirk >= 0);
-        ASSERT(quirk < NumPluginQuirks);
+        ASSERT_WITH_SECURITY_IMPLICATION(quirk < NumPluginQuirks);
         
         m_quirks |= (1 << quirk);
     }