2011-03-10 Chris Evans <cevans@chromium.org>

        Reviewed by Adam Barth.

        Error in StyleElement::process with large nodesets
        https://bugs.webkit.org/show_bug.cgi?id=56150

        Test: none due to excessive runtime and CRASH() vs. real crash.

        * dom/StyleElement.cpp:
        (WebCore::StyleElement::process): Handle large node sets better.


git-svn-id: svn://svn.chromium.org/blink/trunk@80787 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/Source/WebCore/ChangeLog

+2011-03-10  Chris Evans  <cevans@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Error in StyleElement::process with large nodesets
+        https://bugs.webkit.org/show_bug.cgi?id=56150
+
+        Test: none due to excessive runtime and CRASH() vs. real crash.
+
+        * dom/StyleElement.cpp:
+        (WebCore::StyleElement::process): Handle large node sets better.
+
 2011-03-10  David Hyatt  <hyatt@apple.com>
 
         Reviewed by Simon Fraser.

third_party/WebKit/Source/WebCore/dom/StyleElement.cpp

@@ -101,8 +101,12 @@ void StyleElement::process(Element* e)
 
     unsigned resultLength = 0;
     for (Node* c = e->firstChild(); c; c = c->nextSibling()) {
-        if (isValidStyleChild(c))
-            resultLength += c->nodeValue().length();
+        if (isValidStyleChild(c)) {
+            unsigned length = c->nodeValue().length();
+            if (length > std::numeric_limits<unsigned>::max() - resultLength)
+                CRASH();
+            resultLength += length;
+        }
     }
     UChar* text;
     String sheetText = String::createUninitialized(resultLength, text);