commit 0433734318551aac3b7b82b9d8ab5d485d7d0439
author Steve Block <steveblock@google.com> Thu Aug 05 12:12:56 2010 +0100
committer android-build SharedAccount <android-build@sekiwake.mtv.corp.google.com> Wed Aug 18 00:07:00 2010 -0700
tree 6a7ac7827d98f9b434a0961a00d13bc6fef6bdb0
parent 88ea388f2d61fc4e081b3b4f077cd5f5acd296a1

Cherry-pick WebKit change 61921 to fix exploitable memory corruption in RenderBoxModelObject

Bug: 2895569
Change-Id: Iea09dc4fdc35e68ccad36deed2132f02e3778e34

WebCore/platform/text/BidiResolver.h

diff --git a/WebCore/platform/text/BidiResolver.h b/WebCore/platform/text/BidiResolver.h
index 286cdcd..a99fd01 100644
--- a/WebCore/platform/text/BidiResolver.h
+++ b/WebCore/platform/text/BidiResolver.h
@@ -806,35 +806,33 @@
             break;
         }
 
-        if (pastEnd) {
-            if (eor == current) {
-                if (!reachedEndOfLine) {
-                    eor = endOfLine;
-                    switch (m_status.eor) {
-                        case LeftToRight:
-                        case RightToLeft:
-                        case ArabicNumber:
-                            m_direction = m_status.eor;
-                            break;
-                        case EuropeanNumber:
-                            m_direction = m_status.lastStrong == LeftToRight ? LeftToRight : EuropeanNumber;
-                            break;
-                        default:
-                            ASSERT(false);
-                    }
-                    appendRun();
+        if (pastEnd && eor == current) {
+            if (!reachedEndOfLine) {
+                eor = endOfLine;
+                switch (m_status.eor) {
+                    case LeftToRight:
+                    case RightToLeft:
+                    case ArabicNumber:
+                        m_direction = m_status.eor;
+                        break;
+                    case EuropeanNumber:
+                        m_direction = m_status.lastStrong == LeftToRight ? LeftToRight : EuropeanNumber;
+                        break;
+                    default:
+                        ASSERT(false);
                 }
-                current = end;
-                m_status = stateAtEnd.m_status;
-                sor = stateAtEnd.sor; 
-                eor = stateAtEnd.eor;
-                last = stateAtEnd.last;
-                reachedEndOfLine = stateAtEnd.reachedEndOfLine;
-                lastBeforeET = stateAtEnd.lastBeforeET;
-                emptyRun = stateAtEnd.emptyRun;
-                m_direction = OtherNeutral;
-                break;
+                appendRun();
             }
+            current = end;
+            m_status = stateAtEnd.m_status;
+            sor = stateAtEnd.sor; 
+            eor = stateAtEnd.eor;
+            last = stateAtEnd.last;
+            reachedEndOfLine = stateAtEnd.reachedEndOfLine;
+            lastBeforeET = stateAtEnd.lastBeforeET;
+            emptyRun = stateAtEnd.emptyRun;
+            m_direction = OtherNeutral;
+            break;
         }
 
         // set m_status.last as needed.
@@ -887,8 +885,21 @@
         }
 
         increment();
-        if (!m_currentExplicitEmbeddingSequence.isEmpty())
+        if (!m_currentExplicitEmbeddingSequence.isEmpty()) {
             commitExplicitEmbedding();
+            if (pastEnd) {
+                current = end;
+                m_status = stateAtEnd.m_status;
+                sor = stateAtEnd.sor; 
+                eor = stateAtEnd.eor;
+                last = stateAtEnd.last;
+                reachedEndOfLine = stateAtEnd.reachedEndOfLine;
+                lastBeforeET = stateAtEnd.lastBeforeET;
+                emptyRun = stateAtEnd.emptyRun;
+                m_direction = OtherNeutral;
+                break;
+            }
+        }
 
         if (emptyRun && (dirCurrent == RightToLeftEmbedding
                 || dirCurrent == LeftToRightEmbedding