blink: prevent bitarray overflow

While attempting to add a new css property, I ran into ASSERT_WITH_SECURITY_IMPLICATION(index < arraySize) while calling CSSAnimations::calculateTransitionUpdate. It looks like we normally don't include CSSPropertyInvalid, and use firstCSSProperty to offset the index. I've done the same here. Review URL: https://codereview.chromium.org/1308053002 git-svn-id: svn://svn.chromium.org/blink/trunk@201080 bbb929c8-8fbe-4397-9dbb-9b2b20218538

blink: prevent bitarray overflow
While attempting to add a new css property, I ran into ASSERT_WITH_SECURITY_IMPLICATION(index < arraySize) while calling CSSAnimations::calculateTransitionUpdate. It looks like we normally don't include CSSPropertyInvalid, and use firstCSSProperty to offset the index. I've done the same here. Review URL: https://codereview.chromium.org/1308053002 git-svn-id: svn://svn.chromium.org/blink/trunk@201080 bbb929c8-8fbe-4397-9dbb-9b2b20218538
07a4a181 · hendrikw@chromium.org · 497d9415 · 07a4a181
Commit 07a4a181 authored Aug 25, 2015 by hendrikw@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

third_party/WebKit/Source/core/animation/css/CSSAnimations.cpp ..._party/WebKit/Source/core/animation/css/CSSAnimations.cpp +3 -2

No files found.
--- a/third_party/WebKit/Source/core/animation/css/CSSAnimations.cpp
+++ b/third_party/WebKit/Source/core/animation/css/CSSAnimations.cpp
@@ -551,10 +551,11 @@ void CSSAnimations::calculateTransitionUpdate(CSSAnimationUpdate& update, const
            // If not a shorthand we only execute one iteration of this loop, and refer to the property directly.
            for (unsigned j = 0; !j || j < propertyList.length(); ++j) {
                CSSPropertyID id = propertyList.length() ? propertyList.properties()[j] : property;
+                ASSERT(id >= firstCSSProperty);

                if (!animateAll) {
                    if (CSSPropertyMetadata::isInterpolableProperty(id))
-                        listedProperties.set(id);
+                        listedProperties.set(id - firstCSSProperty);
                    else
                        continue;
                }
@@ -573,7 +574,7 @@ void CSSAnimations::calculateTransitionUpdate(CSSAnimationUpdate& update, const
    if (activeTransitions) {
        for (const auto& entry : *activeTransitions) {
            CSSPropertyID id = entry.key;
-            if (!anyTransitionHadTransitionAll && !animationStyleRecalc && !listedProperties.get(id)) {
+            if (!anyTransitionHadTransitionAll && !animationStyleRecalc && !listedProperties.get(id - firstCSSProperty)) {
                // TODO: Figure out why this fails on Chrome OS login page. crbug.com/365507
                // ASSERT(animation.playStateInternal() == Animation::Finished || !(elementAnimations && elementAnimations->isAnimationStyleChange()));
                update.cancelTransition(id);