From bbab1c84ba835d6d9591ea291ceebe8dcce2d343 Mon Sep 17 00:00:00 2001 From: Cary Clark Date: Tue, 6 Oct 2009 13:34:21 -0400 Subject: address detection may look at uninitialized memory Address detection on web pages creates arrays of pointers to words, and compares them against a set of permitted street types. This change adds the array of end pointers so that the check does not look past the end of the word. Fixes http://b/issue?id=2166591 --- WebKit/android/nav/CacheBuilder.cpp | 27 ++++++++------------------- WebKit/android/nav/CacheBuilder.h | 17 +++++++++++++++++ 2 files changed, 25 insertions(+), 19 deletions(-) (limited to 'WebKit') diff --git a/WebKit/android/nav/CacheBuilder.cpp b/WebKit/android/nav/CacheBuilder.cpp index 4acf598..31483f2 100644 --- a/WebKit/android/nav/CacheBuilder.cpp +++ b/WebKit/android/nav/CacheBuilder.cpp @@ -1672,9 +1672,7 @@ CacheBuilder::FoundState CacheBuilder::FindPartialAddress(const UChar* baseChars // is that suggested this fix. // if (s->mWordCount == 0 && s->mContinuationNode) // return FOUND_NONE; - s->mBases[s->mWordCount] = baseChars; - s->mWords[s->mWordCount] = chars - s->mNumberCount; - s->mStarts[s->mWordCount] = s->mCurrentStart; + s->newWord(baseChars, chars); if (WTF::isASCIILower(ch) && s->mNumberCount == 0) s->mFirstLower = chars; s->mNumberCount = 0; @@ -1722,9 +1720,7 @@ CacheBuilder::FoundState CacheBuilder::FindPartialAddress(const UChar* baseChars s->mNumberWords >>= ++shift; if (s->mBases[0] != s->mBases[shift]) // if we're past the original node, bail break; - memmove(s->mBases, &s->mBases[shift], (sizeof(s->mBases) / sizeof(s->mBases[0]) - shift) * sizeof(s->mBases[0])); - memmove(s->mWords, &s->mWords[shift], (sizeof(s->mWords) / sizeof(s->mWords[0]) - shift) * sizeof(s->mWords[0])); - memmove(s->mStarts, &s->mStarts[shift], (sizeof(s->mStarts) / sizeof(s->mStarts[0]) - shift) * sizeof(s->mStarts[0])); + s->shiftWords(shift); s->mStartResult = s->mWords[0] - s->mStarts[0]; s->mWordCount -= shift; // FIXME: need to adjust lineCount to account for discarded delimiters @@ -1771,9 +1767,7 @@ CacheBuilder::FoundState CacheBuilder::FindPartialAddress(const UChar* baseChars continue; if (s->mWordCount == 0 && s->mContinuationNode) return FOUND_NONE; - s->mBases[s->mWordCount] = baseChars; - s->mWords[s->mWordCount] = chars; - s->mStarts[s->mWordCount] = s->mCurrentStart; + s->newWord(baseChars, chars); s->mNumberWords |= 1 << s->mWordCount; s->mUnparsed = true; } @@ -1796,9 +1790,7 @@ CacheBuilder::FoundState CacheBuilder::FindPartialAddress(const UChar* baseChars case SECOND_HALF: if (WTF::isASCIIAlpha(ch)) { if (s->mLetterCount == 0) { - s->mBases[s->mWordCount] = baseChars; - s->mWords[s->mWordCount] = chars; - s->mStarts[s->mWordCount] = s->mCurrentStart; + s->newWord(baseChars, chars); s->mWordCount++; } s->mLetterCount++; @@ -1917,9 +1909,7 @@ CacheBuilder::FoundState CacheBuilder::FindPartialAddress(const UChar* baseChars s->mZipDelimiter = true; else { if (s->mLetterCount == 0) { - s->mBases[s->mWordCount] = baseChars; - s->mWords[s->mWordCount] = chars; - s->mStarts[s->mWordCount] = s->mCurrentStart; + s->newWord(baseChars, chars); s->mUnparsed = true; } ++s->mLetterCount; @@ -1990,7 +1980,8 @@ CacheBuilder::FoundState CacheBuilder::FindPartialAddress(const UChar* baseChars goto nextTest; abbr = true; } - letter = test[testIndex]; + letter = &test[testIndex] < s->mEnds[wordsIndex] ? + test[testIndex] : ' '; if (WTF::isASCIIAlpha(letter) == false && WTF::isASCIIDigit(letter) == false) { if (s->mNumberWords != 0) { int shift = 0; @@ -2031,9 +2022,7 @@ CacheBuilder::FoundState CacheBuilder::FindPartialAddress(const UChar* baseChars s->mNumberWords >>= ++shift; if (s->mBases[0] != s->mBases[shift]) return FOUND_NONE; - memmove(s->mBases, &s->mBases[shift], (sizeof(s->mBases) / sizeof(s->mBases[0]) - shift) * sizeof(s->mBases[0])); - memmove(s->mWords, &s->mWords[shift], (sizeof(s->mWords) / sizeof(s->mWords[0]) - shift) * sizeof(s->mWords[0])); - memmove(s->mStarts, &s->mStarts[shift], (sizeof(s->mStarts) / sizeof(s->mStarts[0]) - shift) * sizeof(s->mStarts[0])); + s->shiftWords(shift); s->mStartResult = s->mWords[0] - s->mStarts[0]; s->mWordCount -= shift; s->mProgress = ADDRESS_LINE; diff --git a/WebKit/android/nav/CacheBuilder.h b/WebKit/android/nav/CacheBuilder.h index 35bd623..d30cba5 100644 --- a/WebKit/android/nav/CacheBuilder.h +++ b/WebKit/android/nav/CacheBuilder.h @@ -146,6 +146,7 @@ private: const UChar* mZipStart; const UChar* mBases[16]; // FIXME: random guess, maybe too small, maybe too big const UChar* mWords[16]; + const UChar* mEnds[16]; const UChar* mStarts[16]; // text is not necessarily contiguous const char* mStates; int mEndWord; @@ -165,6 +166,22 @@ private: bool mInitialized; bool mContinuationNode; bool mCaseInsensitive; + void shiftWords(int shift) { + memmove(mBases, &mBases[shift], (sizeof(mBases) / + sizeof(mBases[0]) - shift) * sizeof(mBases[0])); + memmove(mWords, &mWords[shift], (sizeof(mWords) / + sizeof(mWords[0]) - shift) * sizeof(mWords[0])); + memmove(mEnds, &mEnds[shift], (sizeof(mEnds) / + sizeof(mEnds[0]) - shift) * sizeof(mEnds[0])); + memmove(mStarts, &mStarts[shift], (sizeof(mStarts) / + sizeof(mStarts[0]) - shift) * sizeof(mStarts[0])); + } + void newWord(const UChar* baseChars, const UChar* chars) { + mBases[mWordCount] = baseChars; + mWords[mWordCount] = chars; + mEnds[mWordCount] = mEnd; + mStarts[mWordCount] = mCurrentStart; + } }; struct ClipColumnTracker { IntRect mBounds; -- cgit v1.1