[webkit-changes] [WebKit/WebKit] 7ce158: Fix size of aggregates indexed by CSSPropertyID

Kiet Ho noreply at github.com
Sat Feb 22 16:36:54 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 7ce1585cdfca3841ed6fe9935c731f014423e621
      https://github.com/WebKit/WebKit/commit/7ce1585cdfca3841ed6fe9935c731f014423e621
  Author: Kiet Ho <kiet.ho at apple.com>
  Date:   2025-02-22 (Sat, 22 Feb 2025)

  Changed paths:
    M Source/WebCore/animation/WebAnimationTypes.h
    M Source/WebCore/css/CSSProperty.h
    M Source/WebCore/css/process-css-properties.py
    M Source/WebCore/rendering/style/WillChangeData.h
    M Source/WebCore/style/StyleBuilderState.h

  Log Message:
  -----------
  Fix size of aggregates indexed by CSSPropertyID
https://bugs.webkit.org/show_bug.cgi?id=288168
rdar://145259581

Reviewed by Yusuke Suzuki.

CSSProperty::numCSSProperties (generated by process-css-properties.py)
is not the *total* number of CSS properties defined in the CSSPropertyID
enum. It's rather the number of *real* CSS properties, which excludes
CSSPropertyInvalid and CSSPropertyCustom. Hence numCSSProperties is
always *smaller* than the largest value in CSSPropertyID enum.

Because of the confusing name though, some aggregates (arrays and
WTF::BitSet) in the codebase use this value as the size, and index into
the aggregate using CSSPropertyID values. Therefore, it's possible to
cause an OOB by indexing using a value in CSSPropertyID that's larger
than numCSSProperties. This is done in e.g CSSProperty::isColorProperty.

Fix this by introducing a new variable, cssPropertyIDEnumValueCount,
that accurately describes the number of values defined in
CSSPropertyID (which is also the largest value in the enum, plus 1)
Then change aggregates to use cssPropertyIDEnumValueCount as the size
instead.

* Source/WebCore/animation/WebAnimationTypes.h:
* Source/WebCore/css/CSSProperty.h:
* Source/WebCore/css/process-css-properties.py:
(GenerationContext.generate_property_id_bit_set):
(GenerateCSSPropertyNames._generate_css_property_names_gperf_prelude):
(GenerateCSSPropertyNames):
* Source/WebCore/rendering/style/WillChangeData.h:
* Source/WebCore/style/StyleBuilderState.h:

Canonical link: https://commits.webkit.org/290897@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list