diff options
| author | Bart Sears <bsears@google.com> | 2011-03-13 17:32:54 -0700 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2011-03-13 17:32:54 -0700 |
| commit | df04d7a71c88ac5b84b3a3d06fdc8834eb1f2da2 (patch) | |
| tree | 71dbafed5c17ca7e9eb95d68a058d3dd20616625 /WebCore/dom | |
| parent | 25b379124e2660c9310c65e647c32d533d9237c0 (diff) | |
| parent | bcc077531734eca7eb8663a76ab8d4c15721672c (diff) | |
| download | external_webkit-df04d7a71c88ac5b84b3a3d06fdc8834eb1f2da2.zip external_webkit-df04d7a71c88ac5b84b3a3d06fdc8834eb1f2da2.tar.gz external_webkit-df04d7a71c88ac5b84b3a3d06fdc8834eb1f2da2.tar.bz2 | |
am bcc07753: Cherry-pick change Ibaa52a6b (webkit security patch)
* commit 'bcc077531734eca7eb8663a76ab8d4c15721672c':
Cherry-pick change Ibaa52a6b (webkit security patch)
Diffstat (limited to 'WebCore/dom')
| -rw-r--r-- | WebCore/dom/StyleElement.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/WebCore/dom/StyleElement.cpp b/WebCore/dom/StyleElement.cpp index 157e8f9..e9878a6 100644 --- a/WebCore/dom/StyleElement.cpp +++ b/WebCore/dom/StyleElement.cpp @@ -95,8 +95,12 @@ void StyleElement::process(Element* e) unsigned resultLength = 0; for (Node* c = e->firstChild(); c; c = c->nextSibling()) { Node::NodeType nodeType = c->nodeType(); - if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE) - resultLength += c->nodeValue().length(); + if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE) { + unsigned length = c->nodeValue().length(); + if (length > std::numeric_limits<unsigned>::max() - resultLength) + CRASH(); + resultLength += length; + } } UChar* text; String sheetText = String::createUninitialized(resultLength, text); |