Apply webit security patch

bug: 4089100
Change-Id: Ibaa52a6bcbbe47f33ec4131051309ed05b05748b

diff --git a/WebCore/dom/StyleElement.cpp b/WebCore/dom/StyleElement.cpp
index f881179..7bec24a 100644 (file)
--- a/WebCore/dom/StyleElement.cpp
+++ b/WebCore/dom/StyleElement.cpp
@@ -64,8 +64,12 @@ void StyleElement::process(Element* e)
     unsigned resultLength = 0;
     for (Node* c = e->firstChild(); c; c = c->nextSibling()) {
         Node::NodeType nodeType = c->nodeType();
-        if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE)
-            resultLength += c->nodeValue().length();
+        if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE) {
+            unsigned length = c->nodeValue().length();
+            if (length > std::numeric_limits<unsigned>::max() - resultLength)
+                CRASH();
+            resultLength += length;
+        }
     }
     UChar* text;
     String sheetText = String::createUninitialized(resultLength, text);