Bug 83751 - [Chromium] The size of glyphStorage should be passed to substituteWithVerticalGlyphs()
Summary: [Chromium] The size of glyphStorage should be passed to substituteWithVertica...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Platform (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Kenichi Ishibashi
URL: http://crbug.com/122585
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-12 00:32 PDT by Kenichi Ishibashi
Modified: 2012-04-12 01:49 PDT (History)
4 users (show)

See Also:


Attachments
Patch (1.55 KB, patch)
2012-04-12 00:38 PDT, Kenichi Ishibashi
no flags Details | Formatted Diff | Diff
Patch (1.65 KB, patch)
2012-04-12 01:10 PDT, Kenichi Ishibashi
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kenichi Ishibashi 2012-04-12 00:32:48 PDT
GlyphPage::fill() in GlyphPageTreeNodeSkia.cpp calls substituteWithVerticalGlyphs() with wrong buffer length. The last argument should be the length of |glyphStorage|.
Comment 1 Kenichi Ishibashi 2012-04-12 00:38:04 PDT
Created attachment 136838 [details]
Patch
Comment 2 Kenichi Ishibashi 2012-04-12 00:41:33 PDT
Kent-san, Tony,

Could you take a look?
Comment 3 Kent Tamura 2012-04-12 00:49:14 PDT
Comment on attachment 136838 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=136838&action=review

> Source/WebCore/ChangeLog:3
> +        [Chromium] Fix OOB in substituteWithVerticalGlyphs()

"OOB" sounds like a security bug.

> Source/WebCore/ChangeLog:11
> +        No new tests. No behavior change.

Really? This patch looks a fix of a problem.
Comment 4 Kenichi Ishibashi 2012-04-12 01:01:16 PDT
Comment on attachment 136838 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=136838&action=review

>> Source/WebCore/ChangeLog:3
>> +        [Chromium] Fix OOB in substituteWithVerticalGlyphs()
> 
> "OOB" sounds like a security bug.

I agree. I'll change the title

>> Source/WebCore/ChangeLog:11
>> +        No new tests. No behavior change.
> 
> Really? This patch looks a fix of a problem.

You are right. However, I can't figure out how to test the fix. We can see the crash when we use ASAN-enabled chromium, but without ASAN, we can't see any difference at layout test level. Do you think changing the comment to describe why this patch lacks tests is enough?
Comment 5 Kent Tamura 2012-04-12 01:06:50 PDT
(In reply to comment #4)
>  Do you think changing the comment to describe why this patch lacks tests is enough?

I think so.
Comment 6 Kenichi Ishibashi 2012-04-12 01:10:09 PDT
Created attachment 136844 [details]
Patch
Comment 7 Kenichi Ishibashi 2012-04-12 01:10:45 PDT
(In reply to comment #5)
> (In reply to comment #4)
> >  Do you think changing the comment to describe why this patch lacks tests is enough?
> 
> I think so.

Thanks. I've updated the patch.
Comment 8 Kent Tamura 2012-04-12 01:11:45 PDT
Comment on attachment 136844 [details]
Patch

ok
Comment 9 WebKit Review Bot 2012-04-12 01:49:21 PDT
Comment on attachment 136844 [details]
Patch

Clearing flags on attachment: 136844

Committed r113951: <http://trac.webkit.org/changeset/113951>
Comment 10 WebKit Review Bot 2012-04-12 01:49:25 PDT
All reviewed patches have been landed.  Closing bug.