diff options
| author | Bart Sears <bsears@google.com> | 2011-03-11 16:17:22 -0800 |
|---|---|---|
| committer | Bart Sears <bsears@google.com> | 2011-03-11 16:17:22 -0800 |
| commit | 68c221808cf7a4776ba8feae02611d3c78e9f857 (patch) | |
| tree | bc695d0622452e8ba0c52b961c5d1daeeec4499c /WebCore | |
| parent | 591ab58df1b16eb937b3438f3af26c1b97c658fd (diff) | |
| download | external_webkit-68c221808cf7a4776ba8feae02611d3c78e9f857.zip external_webkit-68c221808cf7a4776ba8feae02611d3c78e9f857.tar.gz external_webkit-68c221808cf7a4776ba8feae02611d3c78e9f857.tar.bz2 | |
Apply webit security patch
bug: 4089100
Change-Id: Ibaa52a6bcbbe47f33ec4131051309ed05b05748b
Diffstat (limited to 'WebCore')
| -rw-r--r-- | WebCore/dom/StyleElement.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/WebCore/dom/StyleElement.cpp b/WebCore/dom/StyleElement.cpp index f881179..7bec24a 100644 --- a/WebCore/dom/StyleElement.cpp +++ b/WebCore/dom/StyleElement.cpp @@ -64,8 +64,12 @@ void StyleElement::process(Element* e) unsigned resultLength = 0; for (Node* c = e->firstChild(); c; c = c->nextSibling()) { Node::NodeType nodeType = c->nodeType(); - if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE) - resultLength += c->nodeValue().length(); + if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE) { + unsigned length = c->nodeValue().length(); + if (length > std::numeric_limits<unsigned>::max() - resultLength) + CRASH(); + resultLength += length; + } } UChar* text; String sheetText = String::createUninitialized(resultLength, text); |