diff options
| -rw-r--r-- | WebCore/dom/StyleElement.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/WebCore/dom/StyleElement.cpp b/WebCore/dom/StyleElement.cpp index f881179..7bec24a 100644 --- a/WebCore/dom/StyleElement.cpp +++ b/WebCore/dom/StyleElement.cpp @@ -64,8 +64,12 @@ void StyleElement::process(Element* e) unsigned resultLength = 0; for (Node* c = e->firstChild(); c; c = c->nextSibling()) { Node::NodeType nodeType = c->nodeType(); - if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE) - resultLength += c->nodeValue().length(); + if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE) { + unsigned length = c->nodeValue().length(); + if (length > std::numeric_limits<unsigned>::max() - resultLength) + CRASH(); + resultLength += length; + } } UChar* text; String sheetText = String::createUninitialized(resultLength, text); |