[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
oliver at apple.com
oliver at apple.com
Wed Dec 22 12:39:10 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit bba67bf1d3cbada4b98f4864886763d125abf0e3
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Aug 26 19:00:53 2010 +0000
2010-08-25 Oliver Hunt <oliver at apple.com>
Reviewed by Geoffrey Garen.
Improve overflow handling in StringImpl::Replace
https://bugs.webkit.org/show_bug.cgi?id=42502
<rdar://problem/8203794>
Harden StringImpl::replace against overflow -- I can't see how this
could be abused, but it's better to be safe than sorry.
* wtf/text/StringImpl.cpp:
(WTF::StringImpl::replace):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66119 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index a4b4042..487c3d2 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-08-25 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Geoffrey Garen.
+
+ Improve overflow handling in StringImpl::Replace
+ https://bugs.webkit.org/show_bug.cgi?id=42502
+ <rdar://problem/8203794>
+
+ Harden StringImpl::replace against overflow -- I can't see how this
+ could be abused, but it's better to be safe than sorry.
+
+ * wtf/text/StringImpl.cpp:
+ (WTF::StringImpl::replace):
+
2010-08-26 Martin Robinson <mrobinson at igalia.com>
Reviewed by Xan Lopez.
diff --git a/JavaScriptCore/wtf/text/StringImpl.cpp b/JavaScriptCore/wtf/text/StringImpl.cpp
index ab0f009..a667525 100644
--- a/JavaScriptCore/wtf/text/StringImpl.cpp
+++ b/JavaScriptCore/wtf/text/StringImpl.cpp
@@ -31,6 +31,8 @@
#include <wtf/StdLibExtras.h>
#include <wtf/WTFThreadData.h>
+using namespace std;
+
namespace WTF {
using namespace Unicode;
@@ -776,6 +778,10 @@ PassRefPtr<StringImpl> StringImpl::replace(unsigned position, unsigned lengthToR
if (!lengthToReplace && !lengthToInsert)
return this;
UChar* data;
+
+ if ((length() - lengthToReplace) >= (numeric_limits<unsigned>::max() - lengthToInsert))
+ CRASH();
+
PassRefPtr<StringImpl> newImpl =
createUninitialized(length() - lengthToReplace + lengthToInsert, data);
memcpy(data, characters(), position * sizeof(UChar));
@@ -805,9 +811,18 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar pattern, StringImpl* replacemen
if (!matchCount)
return this;
+ if (repStrLength && matchCount > numeric_limits<unsigned>::max() / repStrLength)
+ CRASH();
+
+ unsigned replaceSize = matchCount * repStrLength;
+ unsigned newSize = m_length - matchCount;
+ if (newSize >= (numeric_limits<unsigned>::max() - replaceSize))
+ CRASH();
+
+ newSize += replaceSize;
+
UChar* data;
- PassRefPtr<StringImpl> newImpl =
- createUninitialized(m_length - matchCount + (matchCount * repStrLength), data);
+ PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
// Construct the new data
size_t srcSegmentEnd;
@@ -855,9 +870,17 @@ PassRefPtr<StringImpl> StringImpl::replace(StringImpl* pattern, StringImpl* repl
if (!matchCount)
return this;
+ unsigned newSize = m_length - matchCount * patternLength;
+ if (repStrLength && matchCount > numeric_limits<unsigned>::max() / repStrLength)
+ CRASH();
+
+ if (newSize > (numeric_limits<unsigned>::max() - matchCount * repStrLength))
+ CRASH();
+
+ newSize += matchCount * repStrLength;
+
UChar* data;
- PassRefPtr<StringImpl> newImpl =
- createUninitialized(m_length + matchCount * (repStrLength - patternLength), data);
+ PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
// Construct the new data
size_t srcSegmentEnd;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list