ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html · master · App_Technologies / webkit

Fix defective size_t overflow in GestureTapHighlighter. · f3f52cd3

commit-queue@webkit.org authored Mar 30, 2012

https://bugs.webkit.org/show_bug.cgi?id=82605

Patch by Zalan Bujtas <zbujtas@gmail.com> on 2012-03-30
Reviewed by Kenneth Rohde Christiansen.

.:

* ManualTests/tap-gesture-in-iframe-with-tap-highlight-crash.html: Added.

Source/WebCore:

In pathForRenderer, the for loop has 'i < rects().size() - 1' as test expression,
where rects().size() returns with size_t.
In case of empty rect, it leads to unsigned int overflow. Overflow value makes
the associated for loop run with invalid values.
Fix it by making loop variable int and stop using size_t type in the test expression.
Also, return early, if no focus ring found.

Manual test added. Tap gesture highlighter is getting triggered by UI process.

* page/GestureTapHighlighter.cpp:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@112723 268f45cc-cd09-0410-ab3c-d52691b4dbfc

f3f52cd3