[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
cevans at google.com
cevans at google.com
Wed Dec 22 14:26:38 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 30937da8ae4f84b0aaac08acd588d92df74efc4e
Author: cevans at google.com <cevans at google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Oct 8 19:38:12 2010 +0000
2010-10-08 Chris Evans <cevans at google.com>
Reviewed by David Levin.
https://bugs.webkit.org/show_bug.cgi?id=47393
Use unsigned consistently to check for max StringImpl length.
Add a few integer overflow checks.
Uses the existing paradigm of CRASH() when we can't reasonably handle a crazily large request.
* wtf/text/WTFString.cpp:
* wtf/text/StringImpl.h:
* wtf/text/StringImpl.cpp:
Better use of size_t vs. unsigned; check for integer overflows.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69414 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index a0b4787..1c439aa 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-10-08 Chris Evans <cevans at google.com>
+
+ Reviewed by David Levin.
+
+ https://bugs.webkit.org/show_bug.cgi?id=47393
+
+ Use unsigned consistently to check for max StringImpl length.
+ Add a few integer overflow checks.
+ Uses the existing paradigm of CRASH() when we can't reasonably handle a crazily large request.
+
+ * wtf/text/WTFString.cpp:
+ * wtf/text/StringImpl.h:
+ * wtf/text/StringImpl.cpp:
+ Better use of size_t vs. unsigned; check for integer overflows.
+
2010-10-07 David Goodwin <david_goodwin at apple.com>
Reviewed by Oliver Hunt.
diff --git a/JavaScriptCore/wtf/text/StringImpl.cpp b/JavaScriptCore/wtf/text/StringImpl.cpp
index 7822c00..e1e08ee 100644
--- a/JavaScriptCore/wtf/text/StringImpl.cpp
+++ b/JavaScriptCore/wtf/text/StringImpl.cpp
@@ -81,7 +81,7 @@ PassRefPtr<StringImpl> StringImpl::createUninitialized(unsigned length, UChar*&
// Allocate a single buffer large enough to contain the StringImpl
// struct as well as the data which it contains. This removes one
// heap allocation from this call.
- if (length > ((std::numeric_limits<size_t>::max() - sizeof(StringImpl)) / sizeof(UChar)))
+ if (length > ((std::numeric_limits<unsigned>::max() - sizeof(StringImpl)) / sizeof(UChar)))
CRASH();
size_t size = sizeof(StringImpl) + length * sizeof(UChar);
StringImpl* string = static_cast<StringImpl*>(fastMalloc(size));
diff --git a/JavaScriptCore/wtf/text/StringImpl.h b/JavaScriptCore/wtf/text/StringImpl.h
index 7025d9f..4dce56f 100644
--- a/JavaScriptCore/wtf/text/StringImpl.h
+++ b/JavaScriptCore/wtf/text/StringImpl.h
@@ -165,7 +165,7 @@ public:
return empty();
}
- if (length > ((std::numeric_limits<size_t>::max() - sizeof(StringImpl)) / sizeof(UChar))) {
+ if (length > ((std::numeric_limits<unsigned>::max() - sizeof(StringImpl)) / sizeof(UChar))) {
output = 0;
return 0;
}
@@ -187,6 +187,8 @@ public:
{
if (size_t size = vector.size()) {
ASSERT(vector.data());
+ if (size > std::numeric_limits<unsigned>::max())
+ CRASH();
return adoptRef(new StringImpl(vector.releaseBuffer(), size));
}
return empty();
diff --git a/JavaScriptCore/wtf/text/WTFString.cpp b/JavaScriptCore/wtf/text/WTFString.cpp
index 9b53e81..5161477 100644
--- a/JavaScriptCore/wtf/text/WTFString.cpp
+++ b/JavaScriptCore/wtf/text/WTFString.cpp
@@ -48,9 +48,12 @@ String::String(const UChar* str)
if (!str)
return;
- int len = 0;
+ size_t len = 0;
while (str[len] != UChar(0))
len++;
+
+ if (len > std::numeric_limits<unsigned>::max())
+ CRASH();
m_impl = StringImpl::create(str, len);
}
@@ -175,6 +178,8 @@ void String::append(const UChar* charactersToAppend, unsigned lengthToAppend)
ASSERT(charactersToAppend);
UChar* data;
+ if (lengthToAppend > std::numeric_limits<unsigned>::max() - length())
+ CRASH();
RefPtr<StringImpl> newImpl =
StringImpl::createUninitialized(length() + lengthToAppend, data);
memcpy(data, characters(), length() * sizeof(UChar));
@@ -196,6 +201,8 @@ void String::insert(const UChar* charactersToInsert, unsigned lengthToInsert, un
ASSERT(charactersToInsert);
UChar* data;
+ if (lengthToInsert > std::numeric_limits<unsigned>::max() - length())
+ CRASH();
RefPtr<StringImpl> newImpl =
StringImpl::createUninitialized(length() + lengthToInsert, data);
memcpy(data, characters(), position * sizeof(UChar));
@@ -718,6 +725,9 @@ CString String::utf8(bool strict) const
String String::fromUTF8(const char* stringStart, size_t length)
{
+ if (length > std::numeric_limits<unsigned>::max())
+ CRASH();
+
if (!stringStart)
return String();
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list