am 68c22180: Apply webit security patch

* commit '68c221808cf7a4776ba8feae02611d3c78e9f857':
  Apply webit security patch

diff --git a/WebCore/dom/StyleElement.cpp b/WebCore/dom/StyleElement.cpp
index f881179..7bec24a 100644 (file)
--- a/WebCore/dom/StyleElement.cpp
+++ b/WebCore/dom/StyleElement.cpp
@@ -64,8 +64,12 @@ void StyleElement::process(Element* e)
     unsigned resultLength = 0;
     for (Node* c = e->firstChild(); c; c = c->nextSibling()) {
         Node::NodeType nodeType = c->nodeType();
-        if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE)
-            resultLength += c->nodeValue().length();
+        if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE) {
+            unsigned length = c->nodeValue().length();
+            if (length > std::numeric_limits<unsigned>::max() - resultLength)
+                CRASH();
+            resultLength += length;
+        }
     }
     UChar* text;
     String sheetText = String::createUninitialized(resultLength, text);