diff options
| author | Bart Sears <bsears@google.com> | 2011-03-13 16:50:03 -0700 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2011-03-13 16:50:03 -0700 |
| commit | db584582301d76b995c98bb52ba4dd87c3cf8caf (patch) | |
| tree | 27ee90ca47bb39f98bab1aae653be15739d66a76 | |
| parent | 4c418d6168b93e442dfcff7da1a4b7233a630f6d (diff) | |
| parent | 68c221808cf7a4776ba8feae02611d3c78e9f857 (diff) | |
| download | external_webkit-db584582301d76b995c98bb52ba4dd87c3cf8caf.zip external_webkit-db584582301d76b995c98bb52ba4dd87c3cf8caf.tar.gz external_webkit-db584582301d76b995c98bb52ba4dd87c3cf8caf.tar.bz2 | |
am 68c22180: Apply webit security patch
* commit '68c221808cf7a4776ba8feae02611d3c78e9f857':
Apply webit security patch
| -rw-r--r-- | WebCore/dom/StyleElement.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/WebCore/dom/StyleElement.cpp b/WebCore/dom/StyleElement.cpp index f881179..7bec24a 100644 --- a/WebCore/dom/StyleElement.cpp +++ b/WebCore/dom/StyleElement.cpp @@ -64,8 +64,12 @@ void StyleElement::process(Element* e) unsigned resultLength = 0; for (Node* c = e->firstChild(); c; c = c->nextSibling()) { Node::NodeType nodeType = c->nodeType(); - if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE) - resultLength += c->nodeValue().length(); + if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE) { + unsigned length = c->nodeValue().length(); + if (length > std::numeric_limits<unsigned>::max() - resultLength) + CRASH(); + resultLength += length; + } } UChar* text; String sheetText = String::createUninitialized(resultLength, text); |