<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[185095] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/185095">185095</a></dd>
<dt>Author</dt> <dd>mmaxfield@apple.com</dd>
<dt>Date</dt> <dd>2015-06-01 19:10:05 -0700 (Mon, 01 Jun 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Out of bounds read in WebCore::ComplexTextController::adjustGlyphsAndAdvances
https://bugs.webkit.org/show_bug.cgi?id=145537
<rdar://problem/20959267>
Reviewed by Darin Adler.
Source/WebCore:
U16_IS_SURROGATE_LEAD(ch) assumes U16_IS_SURROGATE(ch). In this case, that isn't true.
Test: fast/text/crash-complex-text-surrogate.html
* platform/graphics/mac/ComplexTextController.cpp:
(WebCore::ComplexTextController::adjustGlyphsAndAdvances):
LayoutTests:
* fast/text/crash-complex-text-surrogate.html: Added.
* platform/mac/fast/text/crash-complex-text-surrogate-expected.txt: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreplatformgraphicsmacComplexTextControllercpp">trunk/Source/WebCore/platform/graphics/mac/ComplexTextController.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfasttextcrashcomplextextsurrogatehtml">trunk/LayoutTests/fast/text/crash-complex-text-surrogate.html</a></li>
<li><a href="#trunkLayoutTestsplatformmacfasttextcrashcomplextextsurrogateexpectedtxt">trunk/LayoutTests/platform/mac/fast/text/crash-complex-text-surrogate-expected.txt</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (185094 => 185095)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-06-02 01:53:45 UTC (rev 185094)
+++ trunk/LayoutTests/ChangeLog 2015-06-02 02:10:05 UTC (rev 185095)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2015-06-01 Myles C. Maxfield <mmaxfield@apple.com>
+
+ Out of bounds read in WebCore::ComplexTextController::adjustGlyphsAndAdvances
+ https://bugs.webkit.org/show_bug.cgi?id=145537
+ <rdar://problem/20959267>
+
+ Reviewed by Darin Adler.
+
+ * fast/text/crash-complex-text-surrogate.html: Added.
+ * platform/mac/fast/text/crash-complex-text-surrogate-expected.txt: Added.
+
</ins><span class="cx"> 2015-05-30 Zalan Bujtas <zalan@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION (179771): zooming on facebook images covers image
</span></span></pre></div>
<a id="trunkLayoutTestsfasttextcrashcomplextextsurrogatehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/text/crash-complex-text-surrogate.html (0 => 185095)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/text/crash-complex-text-surrogate.html (rev 0)
+++ trunk/LayoutTests/fast/text/crash-complex-text-surrogate.html 2015-06-02 02:10:05 UTC (rev 185095)
</span><span class="lines">@@ -0,0 +1,88 @@
</span><ins>+<!DOCTYPE html>
+<html id="webtest0">
+<head id="webtest1">
+<script id="webtest2" type="text/javascript">
+
+function boom()
+{
+ var y = document.createTextNode('Y');
+ document.body.insertBefore(y, document.getElementById("v").nextSibling);
+}
+
+</script>
+</head>
+
+<body class="wf_class0" id="webtest3" onload="boom();" style="-moz-column-count: 2; width: 10ch; letter-spacing: 1px; font-family: monospace;">
+This test passes if you can open the file without a crash.
+<div class="wf_class0" style="background: lightblue; float: right; height: 14em; width: 1ch;" id="v"></div>a bcd<span id="webtest4">&#x202B;X</span>
+</body>
+<script>
+function webtest_fn_1() {
+try {
+delete document.scripts[3].toString();
+} catch(e) {
+ document.write("Errlog webtest_fn_1: " + e.name + ": " + e.message + "<br><acronym></acronym>");
+}
+}
+webtest_fn_1();
+</script>
+<script>
+function webtest_fn_2() {
+var s = "{,}\ua888{0}\P{P}\\7H\\8";
+var f = "gi";
+document.write("s is: " +s + "<br> f is: " + f + "<br>");
+var r = new RegExp(s, f);
+document.forms[0].outerHTML.search(r);
+r.compile(s, f);
+document.getElementById("webtest1").outerHTML.match(r);
+document.styleSheets[3].outerHTML.replace(r, "replacement");
+r.test(s);
+r.exec(s);
+}
+webtest_fn_2();
+</script>
+<script>
+function webtest_fn_3() {
+try {
+var head = document.getElementsByTagName("head")[0];
+var style = document.createElement("style");
+style.innerHTML="#wf_class0 { \n\
+-webkit-animation-name: name1; \n\
+-webkit-animation-duration: 1s; \n\
+-webkit-animation: none; \n\
+-webkit-animation-delay: now; \n\
+} \n\
+@-webkit-keyframes name1 { \n\
+ from { \n\
+ -webkit-mask-size: -4096%; \n\
+ background-image: -webkit-cross-fade(url(&#x0056;&#x00e8;&#x0055;&#x1e52;&#x02e3;&#x000f;&#xbe6d;&#x02c7;&#x006c;&#x22c4;&#x00b9;&#x02a1;&#x01f3;&#x00c1;&#x01dc;&#x0293;&#x001f;&#x0092;&#x0298;&#x07bb;&#xbfae;&#x0171;&#x0034;&#x024d;&#x010c;&#x016e;&#x0132;&#x01d6;&#x02d9;&#x00f1;&#x01ff;&#x02f5;&#x02b1;&#x39a6;&#x022e;&#x01c7;&#x024f;&#x0093;&#x002e;&#x00f5;&#x0221;&#xfac5;&#x0164;&#x2a35;&#x00ad;&#x02cd;&#x02dc;&#x00af;&#x0161;&#x0195;&#x018e;), url(text), 99%); \n\
+ } \n\
+ to { \n\
+ -webkit-mask-size: 32767in; \n\
+ background-image: none; \n\
+ } \n\
+} \n\
+";
+head.appendChild(style);
+} catch(e) {
+ document.write("Errlog webtest_fn_3: " + e.name + ": " + e.message + "<br><sub/>");
+}
+}
+webtest_fn_3();
+</script>
+<script>
+function webtest_fn_4() {
+try {
+var scroll_81 = document.createElement("bdo");
+scroll_81.setAttribute("id", "webtest8");
+document.querySelector("plaintext:first-of-type ~ *|:out-of-range").insertBefore(scroll_81, document.querySelector("plaintext:first-of-type ~ *|:out-of-range").childNodes[9]);
+scroll_81.setAttribute("style", "overflow: scroll");
+scroll_81.scrollLeft = 0;
+scroll_81.scrolltop = 0xffffffff;
+} catch(e) {
+ document.write("Errlog webtest_fn_4: " + e.name + ": " + e.message + "<br>");
+}
+}
+webtest_fn_4();
+</script>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformmacfasttextcrashcomplextextsurrogateexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/platform/mac/fast/text/crash-complex-text-surrogate-expected.txt (0 => 185095)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/mac/fast/text/crash-complex-text-surrogate-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac/fast/text/crash-complex-text-surrogate-expected.txt 2015-06-02 02:10:05 UTC (rev 185095)
</span><span class="lines">@@ -0,0 +1,60 @@
</span><ins>+CONSOLE MESSAGE: line 35: TypeError: undefined is not an object (evaluating 'document.forms[0].outerHTML')
+layer at (0,0) size 785x693
+ RenderView at (0,0) size 785x600
+layer at (0,0) size 785x693
+ RenderBlock {HTML} at (0,0) size 785x693
+ RenderBody {BODY} at (8,8) size 78x677
+ RenderText {#text} at (0,0) size 71x120
+ text run at (0,0) width 36: "This"
+ text run at (0,15) width 36: "test"
+ text run at (0,30) width 53: "passes"
+ text run at (0,45) width 53: "if you"
+ text run at (0,60) width 71: "can open"
+ text run at (0,75) width 71: "the file"
+ text run at (0,90) width 62: "without"
+ text run at (0,105) width 71: "a crash."
+ RenderBlock (floating) {DIV} at (70,120) size 8x182 [bgcolor=#ADD8E6]
+ RenderText {#text} at (0,120) size 9x15
+ text run at (0,120) width 9: "Y"
+ RenderText {#text} at (8,120) size 45x15
+ text run at (8,120) width 45: "a bcd"
+ RenderInline {SPAN} at (0,0) size 10x15
+ RenderText {#text} at (52,120) size 10x15
+ text run at (52,120) width 10: "\x{202B}X"
+ RenderText {#text} at (0,0) size 0x0
+ RenderText {#text} at (0,135) size 273x287
+ text run at (0,135) width 53: "Errlog"
+ text run at (0,302) width 115: "webtest_fn_1:"
+ text run at (0,317) width 89: "TypeError:"
+ text run at (0,332) width 80: "undefined"
+ text run at (0,347) width 53: "is not"
+ text run at (0,362) width 18: "an"
+ text run at (0,377) width 53: "object"
+ text run at (0,392) width 97: "(evaluating"
+ text run at (0,407) width 273: "'document.scripts[3].toString')"
+ RenderBR {BR} at (0,0) size 0x0
+ RenderInline {ACRONYM} at (0,0) size 0x0
+ RenderText {#text} at (0,0) size 0x0
+ RenderText {#text} at (0,422) size 115x45
+ text run at (0,422) width 45: "s is:"
+ text run at (0,437) width 27: "{,}"
+ text run at (0,452) width 115: "\x{A888}{0}P{P}\\7H\\8"
+ RenderBR {BR} at (0,0) size 0x0
+ RenderText {#text} at (0,467) size 71x15
+ text run at (0,467) width 71: "f is: gi"
+ RenderBR {BR} at (70,467) size 1x15
+ RenderText {#text} at (0,482) size 361x195
+ text run at (0,482) width 53: "Errlog"
+ text run at (0,497) width 115: "webtest_fn_4:"
+ text run at (0,512) width 89: "TypeError:"
+ text run at (0,527) width 62: "null is"
+ text run at (0,542) width 53: "not an"
+ text run at (0,557) width 53: "object"
+ text run at (0,572) width 97: "(evaluating"
+ text run at (0,587) width 361: "'document.querySelector(\"plaintext:first-"
+ text run at (0,602) width 62: "of-type"
+ text run at (0,617) width 9: "~"
+ text run at (0,632) width 62: "*|:out-"
+ text run at (0,647) width 27: "of-"
+ text run at (0,662) width 194: "range\").insertBefore')"
+ RenderBR {BR} at (0,0) size 0x0
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (185094 => 185095)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-06-02 01:53:45 UTC (rev 185094)
+++ trunk/Source/WebCore/ChangeLog 2015-06-02 02:10:05 UTC (rev 185095)
</span><span class="lines">@@ -1,3 +1,18 @@
</span><ins>+2015-06-01 Myles C. Maxfield <mmaxfield@apple.com>
+
+ Out of bounds read in WebCore::ComplexTextController::adjustGlyphsAndAdvances
+ https://bugs.webkit.org/show_bug.cgi?id=145537
+ <rdar://problem/20959267>
+
+ Reviewed by Darin Adler.
+
+ U16_IS_SURROGATE_LEAD(ch) assumes U16_IS_SURROGATE(ch). In this case, that isn't true.
+
+ Test: fast/text/crash-complex-text-surrogate.html
+
+ * platform/graphics/mac/ComplexTextController.cpp:
+ (WebCore::ComplexTextController::adjustGlyphsAndAdvances):
+
</ins><span class="cx"> 2015-05-30 Zalan Bujtas <zalan@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION (179771): zooming on facebook images covers image
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformgraphicsmacComplexTextControllercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/graphics/mac/ComplexTextController.cpp (185094 => 185095)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/graphics/mac/ComplexTextController.cpp 2015-06-02 01:53:45 UTC (rev 185094)
+++ trunk/Source/WebCore/platform/graphics/mac/ComplexTextController.cpp 2015-06-02 02:10:05 UTC (rev 185095)
</span><span class="lines">@@ -682,7 +682,7 @@
</span><span class="cx"> if (advance.width)
</span><span class="cx"> advance.width += m_font.letterSpacing();
</span><span class="cx">
</span><del>- bool lastCharacter = static_cast<unsigned>(characterIndex + 1) == m_run.length() || (U16_IS_SURROGATE_LEAD(ch) && static_cast<unsigned>(characterIndex + 2) == m_run.length() && U16_IS_SURROGATE_TRAIL(*(cp + characterIndex + 1)));
</del><ins>+ bool lastCharacter = static_cast<unsigned>(characterIndex + 1) == complexTextRun.stringLength() || (U16_IS_LEAD(ch) && static_cast<unsigned>(characterIndex + 2) == complexTextRun.stringLength() && U16_IS_TRAIL(*(cp + characterIndex + 1)));
</ins><span class="cx">
</span><span class="cx"> bool forceLeadingExpansion = false; // On the left, regardless of m_run.ltr()
</span><span class="cx"> bool forceTrailingExpansion = false; // On the right, regardless of m_run.ltr()
</span></span></pre>
</div>
</div>
</body>
</html>