From a42794783dfec7f142845611dc0f20bfe2657c49 Mon Sep 17 00:00:00 2001
From: Steve Block <steveblock@google.com>
Date: Thu, 5 Aug 2010 12:12:56 +0100
Subject: Cherry-pick WebKit change 61921 to fix exploitable memory corruption
 in RenderBoxModelObject

Bug: 2895569
Change-Id: Iea09dc4fdc35e68ccad36deed2132f02e3778e34
---
 WebCore/platform/text/BidiResolver.h | 67 +++++++++++++++++++++---------------
 1 file changed, 39 insertions(+), 28 deletions(-)

(limited to 'WebCore/platform/text')

diff --git a/WebCore/platform/text/BidiResolver.h b/WebCore/platform/text/BidiResolver.h
index 286cdcd..a99fd01 100644
--- a/WebCore/platform/text/BidiResolver.h
+++ b/WebCore/platform/text/BidiResolver.h
@@ -806,35 +806,33 @@ void BidiResolver<Iterator, Run>::createBidiRunsForLine(const Iterator& end, boo
             break;
         }
 
-        if (pastEnd) {
-            if (eor == current) {
-                if (!reachedEndOfLine) {
-                    eor = endOfLine;
-                    switch (m_status.eor) {
-                        case LeftToRight:
-                        case RightToLeft:
-                        case ArabicNumber:
-                            m_direction = m_status.eor;
-                            break;
-                        case EuropeanNumber:
-                            m_direction = m_status.lastStrong == LeftToRight ? LeftToRight : EuropeanNumber;
-                            break;
-                        default:
-                            ASSERT(false);
-                    }
-                    appendRun();
+        if (pastEnd && eor == current) {
+            if (!reachedEndOfLine) {
+                eor = endOfLine;
+                switch (m_status.eor) {
+                    case LeftToRight:
+                    case RightToLeft:
+                    case ArabicNumber:
+                        m_direction = m_status.eor;
+                        break;
+                    case EuropeanNumber:
+                        m_direction = m_status.lastStrong == LeftToRight ? LeftToRight : EuropeanNumber;
+                        break;
+                    default:
+                        ASSERT(false);
                 }
-                current = end;
-                m_status = stateAtEnd.m_status;
-                sor = stateAtEnd.sor; 
-                eor = stateAtEnd.eor;
-                last = stateAtEnd.last;
-                reachedEndOfLine = stateAtEnd.reachedEndOfLine;
-                lastBeforeET = stateAtEnd.lastBeforeET;
-                emptyRun = stateAtEnd.emptyRun;
-                m_direction = OtherNeutral;
-                break;
+                appendRun();
             }
+            current = end;
+            m_status = stateAtEnd.m_status;
+            sor = stateAtEnd.sor; 
+            eor = stateAtEnd.eor;
+            last = stateAtEnd.last;
+            reachedEndOfLine = stateAtEnd.reachedEndOfLine;
+            lastBeforeET = stateAtEnd.lastBeforeET;
+            emptyRun = stateAtEnd.emptyRun;
+            m_direction = OtherNeutral;
+            break;
         }
 
         // set m_status.last as needed.
@@ -887,8 +885,21 @@ void BidiResolver<Iterator, Run>::createBidiRunsForLine(const Iterator& end, boo
         }
 
         increment();
-        if (!m_currentExplicitEmbeddingSequence.isEmpty())
+        if (!m_currentExplicitEmbeddingSequence.isEmpty()) {
             commitExplicitEmbedding();
+            if (pastEnd) {
+                current = end;
+                m_status = stateAtEnd.m_status;
+                sor = stateAtEnd.sor; 
+                eor = stateAtEnd.eor;
+                last = stateAtEnd.last;
+                reachedEndOfLine = stateAtEnd.reachedEndOfLine;
+                lastBeforeET = stateAtEnd.lastBeforeET;
+                emptyRun = stateAtEnd.emptyRun;
+                m_direction = OtherNeutral;
+                break;
+            }
+        }
 
         if (emptyRun && (dirCurrent == RightToLeftEmbedding
                 || dirCurrent == LeftToRightEmbedding
-- 
cgit v1.1