https://bugs.webkit.org/show_bug.cgi?id=82605
Patch by Zalan Bujtas <zbujtas@gmail.com> on 2012-03-30
Reviewed by Kenneth Rohde Christiansen.
.:
* ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html: Added.
Source/WebCore:
In pathForRenderer, the for loop has 'i < rects().size() - 1' as test expression,
where rects().size() returns with size_t.
In case of empty rect, it leads to unsigned int overflow. Overflow value makes
the associated for loop run with invalid values.
Fix it by making loop variable int and stop using size_t type in the test expression.
Also, return early, if no focus ring found.
Manual test added. Tap gesture highlighter is getting triggered by UI process.
* page/GestureTapHighlighter.cpp:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@112723
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2012-03-30 Zalan Bujtas <zbujtas@gmail.com>
+
+ Fix defective size_t overflow in GestureTapHighlighter.
+ https://bugs.webkit.org/show_bug.cgi?id=82605
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ * ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html: Added.
+
2012-03-30 David Barr <davidbarr@chromium.org>
Split up top-level .gitignore and .gitattributes
--- /dev/null
+<html>
+<body>
+ <p>This test verifies that touch gesture on an iframe does not crash when tap highlighting is on.</p>
+ <p style='color:green'>Tapping on the iframe should not crash.</p>
+ <iframe src='data:text/html,
+ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+ <html>
+ <body style="margin: 0px;"></body>
+ </html>'>
+ </iframe>
+</body>
+</html>
+2012-03-30 Zalan Bujtas <zbujtas@gmail.com>
+
+ Fix defective size_t overflow in GestureTapHighlighter.
+ https://bugs.webkit.org/show_bug.cgi?id=82605
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ In pathForRenderer, the for loop has 'i < rects().size() - 1' as test expression,
+ where rects().size() returns with size_t.
+ In case of empty rect, it leads to unsigned int overflow. Overflow value makes
+ the associated for loop run with invalid values.
+ Fix it by making loop variable int and stop using size_t type in the test expression.
+ Also, return early, if no focus ring found.
+
+ Manual test added. Tap gesture highlighter is getting triggered by UI process.
+
+ * page/GestureTapHighlighter.cpp:
+
2012-03-30 Mark Pilgrim <pilgrim@chromium.org>
GEOLOCATION should be implemented as Page Supplement
Vector<IntRect> rects;
o->addFocusRingRects(rects, /* acc. offset */ ownerFrameToMainFrameOffset(o));
+ if (rects.isEmpty())
+ return path;
+
// The basic idea is to allow up to three different boxes in order to highlight
// text with line breaks more nicer than using a bounding box.
// Merge all center boxes (all but the first and the last).
LayoutRect mid;
- for (size_t i = 1; i < rects.size() - 1; ++i)
+
+ // Set the end value to integer. It ensures that no unsigned int overflow occurs
+ // in the test expression, in case of empty rects vector.
+ int end = rects.size() - 1;
+ for (int i = 1; i < end; ++i)
mid.uniteIfNonZero(rects.at(i));
Vector<LayoutRect> drawableRects;
git://git.webkit.org / WebKit-https.git / commitdiff