Commit 5f2e9dec authored by msaboff@apple.com's avatar msaboff@apple.com

equal() in CSSParser.cpp should check the length of characters

https://bugs.webkit.org/show_bug.cgi?id=95706

Source/WebCore: 

Reviewed by Abhishek Arya.

Pass the length of string literals to CSSParser static functions equal() and 
equalIgnoringCase() so that checks won't access out of bounds memory.

Added test fast/css/crash-comparing-equal.html.

* css/CSSParser.cpp:
(WebCore::equal): Use template to retrieve the length of string literal.
(WebCore::equalIgnoringCase): Ditto.
(WebCore::CSSParser::parseDashboardRegions): Use const char[] instead of const char*

LayoutTests: 

Added test from duplicate defect https://bugs.webkit.org/show_bug.cgi?id=95634.

Reviewed by Abhishek Arya.

* fast/css/crash-comparing-equal-expected.txt: Added.
* fast/css/crash-comparing-equal.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127508 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 3a62cc61
2012-09-04 Michael Saboff <msaboff@apple.com>
equal() in CSSParser.cpp should check the length of characters
https://bugs.webkit.org/show_bug.cgi?id=95706
Added test from duplicate defect https://bugs.webkit.org/show_bug.cgi?id=95634.
Reviewed by Abhishek Arya.
* fast/css/crash-comparing-equal-expected.txt: Added.
* fast/css/crash-comparing-equal.html: Added.
2012-09-04 Roger Fong <roger_fong@apple.com>
Unreviewed gardening. meda/video-controls-captions.html fails on Windows after it was introduced in http://trac.webkit.org/changeset/127035.
This page shouldn't crash when parsing CSS - Bug 95706.
<html>
<head>
<script>
if (window.testRunner)
testRunner.dumpAsText();
</script>
<style>
#parent {
font: 20px/1 ahem;
</style>
</head>
<body>
This page shouldn't crash when parsing CSS - Bug 95706.
</body>
</html>
2012-09-04 Michael Saboff <msaboff@apple.com>
equal() in CSSParser.cpp should check the length of characters
https://bugs.webkit.org/show_bug.cgi?id=95706
Reviewed by Abhishek Arya.
Pass the length of string literals to CSSParser static functions equal() and
equalIgnoringCase() so that checks won't access out of bounds memory.
Added test fast/css/crash-comparing-equal.html.
* css/CSSParser.cpp:
(WebCore::equal): Use template to retrieve the length of string literal.
(WebCore::equalIgnoringCase): Ditto.
(WebCore::CSSParser::parseDashboardRegions): Use const char[] instead of const char*
2012-09-04 Antonio Gomes <agomes@rim.com>
[BlackBerry] Use child/ScrollableContent layer's position instead of parent/ScrollLayer's boundsOrigin
......@@ -156,14 +156,24 @@ namespace WebCore {
static const unsigned INVALID_NUM_PARSED_PROPERTIES = UINT_MAX;
static const double MAX_SCALE = 1000000;
static bool equal(const CSSParserString& a, const char* b)
template <unsigned N>
static bool equal(const CSSParserString& a, const char (&b)[N])
{
return a.is8Bit() ? WTF::equal(a.characters8(), reinterpret_cast<const LChar*>(b), a.length()) : WTF::equal(a.characters16(), reinterpret_cast<const LChar*>(b), a.length());
unsigned length = N - 1; // Ignore the trailing null character
if (a.length() != length)
return false;
return a.is8Bit() ? WTF::equal(a.characters8(), reinterpret_cast<const LChar*>(b), length) : WTF::equal(a.characters16(), reinterpret_cast<const LChar*>(b), length);
}
static bool equalIgnoringCase(const CSSParserString& a, const char* b)
template <unsigned N>
static bool equalIgnoringCase(const CSSParserString& a, const char (&b)[N])
{
return a.is8Bit() ? WTF::equalIgnoringCase(b, a.characters8(), a.length()) : WTF::equalIgnoringCase(b, a.characters16(), a.length());
unsigned length = N - 1; // Ignore the trailing null character
if (a.length() != length)
return false;
return a.is8Bit() ? WTF::equalIgnoringCase(b, a.characters8(), length) : WTF::equalIgnoringCase(b, a.characters16(), length);
}
static bool hasPrefix(const char* string, unsigned length, const char* prefix)
......@@ -4333,7 +4343,7 @@ bool CSSParser::parseDashboardRegions(CSSPropertyID propId, bool important)
}
bool validFunctionName = false;
#if ENABLE(DASHBOARD_SUPPORT)
static const char* const dashboardRegionFunctionName = "dashboard-region(";
static const char dashboardRegionFunctionName[] = "dashboard-region(";
if (equalIgnoringCase(value->function->name, dashboardRegionFunctionName)) {
validFunctionName = true;
#if ENABLE(DASHBOARD_SUPPORT) && ENABLE(WIDGET_REGION)
......@@ -4343,7 +4353,7 @@ bool CSSParser::parseDashboardRegions(CSSPropertyID propId, bool important)
}
#endif
#if ENABLE(WIDGET_REGION)
static const char* const widgetRegionFunctionName = "region(";
static const char widgetRegionFunctionName[] = "region(";
if (equalIgnoringCase(value->function->name, widgetRegionFunctionName)) {
validFunctionName = true;
#if ENABLE(DASHBOARD_SUPPORT) && ENABLE(WIDGET_REGION)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment