Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(154)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp

Issue 2191253002: Prevent integer overflows in ANPlusB handling (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Remove longs Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« third_party/WebKit/Source/core/css/CSSSelector.cpp ('K') | « third_party/WebKit/Source/core/css/CSSSelectorTest.cpp ('k') | third_party/WebKit/Source/core/css/parser/CSSSelectorParserTest.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp
diff --git a/third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp b/third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp
index 3812e28f332de01fa2174a488be78f47dfb76f4e..e7f1ded790eb35897c8cc746936827eba5d268d4 100644
--- a/third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp
+++ b/third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp
@@ -642,7 +642,7 @@ bool CSSSelectorParser::consumeANPlusB(CSSParserTokenRange& range, std::pair<int
{
const CSSParserToken& token = range.consume();
if (token.type() == NumberToken && token.numericValueType() == IntegerValueType) {
- result = std::make_pair(0, static_cast<int>(token.numericValue()));
+ result = std::make_pair(0, clampTo<int>(token.numericValue()));
return true;
}
if (token.type() == IdentToken) {
@@ -664,7 +664,7 @@ bool CSSSelectorParser::consumeANPlusB(CSSParserTokenRange& range, std::pair<int
result.first = 1;
nString = range.consume().value().toString();
} else if (token.type() == DimensionToken && token.numericValueType() == IntegerValueType) {
- result.first = token.numericValue();
+ result.first = clampTo<int>(token.numericValue());
nString = token.value().toString();
} else if (token.type() == IdentToken) {
if (token.value()[0] == '-') {
@@ -710,9 +710,13 @@ bool CSSSelectorParser::consumeANPlusB(CSSParserTokenRange& range, std::pair<int
return false;
if ((b.numericSign() == NoSign) == (sign == NoSign))
return false;
- result.second = b.numericValue();
- if (sign == MinusSign)
+ result.second = clampTo<int>(b.numericValue());
+ if (sign == MinusSign) {
+ // Negating minimum integer returns itself, instead return max integer.
+ if (UNLIKELY(result.second == std::numeric_limits<int>::min()))
+ result.second = std::numeric_limits<int>::max();
result.second = -result.second;
+ }
return true;
}
« third_party/WebKit/Source/core/css/CSSSelector.cpp ('K') | « third_party/WebKit/Source/core/css/CSSSelectorTest.cpp ('k') | third_party/WebKit/Source/core/css/parser/CSSSelectorParserTest.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698