WebCore:
authorbdakin@apple.com <bdakin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 26 Mar 2008 06:46:54 +0000 (06:46 +0000)
committerbdakin@apple.com <bdakin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 26 Mar 2008 06:46:54 +0000 (06:46 +0000)
commit849b03d9c06387557b2f47b0caba5b53345b6181
treee08446ffe8ec0a9f5db1bd55aafc0a9e37eff2b6
parent7bd6f6841c034f52b3b7aba4dfea43e3a4b2da21
WebCore:

2008-03-25  Beth Dakin  <bdakin@apple.com>

        Reviewed by Oliver.

        Fix for <rdar://problem/5811826> CSSValueList::item() does not
        range-check index

        Check bounds before accessing the item to avoid a crash.
        itemWithoutBoundsCheck() is still inlined and not bounds-checked to
        avoid slowing down our internal callers of item().
        * css/CSSValueList.cpp:
        (WebCore::CSSValueList::item):
        * css/CSSValueList.h:
        (WebCore::CSSValueList::itemWithoutBoundsCheck):

        Call itemWithoutBoundsCheck() to avoid slowing down these internal
        callers.
        * css/CSSFontSelector.cpp:
        (WebCore::CSSFontSelector::addFontFaceRule):
        * css/CSSMutableStyleDeclaration.cpp:
        (WebCore::CSSMutableStyleDeclaration::getLayeredShorthandValue):
        * css/CSSStyleSelector.cpp:
        (WebCore::applyCounterList):
        (WebCore::CSSStyleSelector::applyProperty):
        * css/MediaQueryEvaluator.cpp:
        (WebCore::parseAspectRatio):
        * svg/SVGFontFaceElement.cpp:
        (WebCore::SVGFontFaceElement::rebuildFontFace):
        * svg/graphics/SVGPaintServer.cpp:
        (WebCore::dashArrayFromRenderingStyle):

LayoutTests:

2008-03-25  Beth Dakin  <bdakin@apple.com>

        Reviewed by Oliver.

        Test for <rdar://problem/5811826> CSSValueList::item() does not
        range-check index

        * fast/css/resources/bikes.bmp: Added.
        * fast/css/value-list-out-of-bounds-crash.html: Added.
        * platform/mac/fast/css/value-list-out-of-bounds-crash-expected.checksum: Added.
        * platform/mac/fast/css/value-list-out-of-bounds-crash-expected.png: Added.
        * platform/mac/fast/css/value-list-out-of-bounds-crash-expected.txt: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@31309 268f45cc-cd09-0410-ab3c-d52691b4dbfc
15 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/css/resources/bikes.bmp [new file with mode: 0644]
LayoutTests/fast/css/value-list-out-of-bounds-crash.html [new file with mode: 0644]
LayoutTests/platform/mac/fast/css/value-list-out-of-bounds-crash-expected.checksum [new file with mode: 0644]
LayoutTests/platform/mac/fast/css/value-list-out-of-bounds-crash-expected.png [new file with mode: 0644]
LayoutTests/platform/mac/fast/css/value-list-out-of-bounds-crash-expected.txt [new file with mode: 0644]
WebCore/ChangeLog
WebCore/css/CSSFontSelector.cpp
WebCore/css/CSSMutableStyleDeclaration.cpp
WebCore/css/CSSStyleSelector.cpp
WebCore/css/CSSValueList.cpp
WebCore/css/CSSValueList.h
WebCore/css/MediaQueryEvaluator.cpp
WebCore/svg/SVGFontFaceElement.cpp
WebCore/svg/graphics/SVGPaintServer.cpp