[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

Wed Dec 22 14:26:38 UTC 2010

The following commit has been merged in the debian/experimental branch:
commit 30937da8ae4f84b0aaac08acd588d92df74efc4e
Author: cevans at google.com <cevans at google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Oct 8 19:38:12 2010 +0000

    2010-10-08  Chris Evans  <cevans at google.com>
    
            Reviewed by David Levin.
    
            https://bugs.webkit.org/show_bug.cgi?id=47393
    
            Use unsigned consistently to check for max StringImpl length.
            Add a few integer overflow checks.
            Uses the existing paradigm of CRASH() when we can't reasonably handle a crazily large request.
    
            * wtf/text/WTFString.cpp:
            * wtf/text/StringImpl.h:
            * wtf/text/StringImpl.cpp:
            Better use of size_t vs. unsigned; check for integer overflows.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69414 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index a0b4787..1c439aa 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-10-08  Chris Evans  <cevans at google.com>
+
+        Reviewed by David Levin.
+
+        https://bugs.webkit.org/show_bug.cgi?id=47393
+
+        Use unsigned consistently to check for max StringImpl length.
+        Add a few integer overflow checks.
+        Uses the existing paradigm of CRASH() when we can't reasonably handle a crazily large request.
+
+        * wtf/text/WTFString.cpp:
+        * wtf/text/StringImpl.h:
+        * wtf/text/StringImpl.cpp:
+        Better use of size_t vs. unsigned; check for integer overflows.
+
 2010-10-07  David Goodwin  <david_goodwin at apple.com>
 
         Reviewed by Oliver Hunt.
diff --git a/JavaScriptCore/wtf/text/StringImpl.cpp b/JavaScriptCore/wtf/text/StringImpl.cpp
index 7822c00..e1e08ee 100644
--- a/JavaScriptCore/wtf/text/StringImpl.cpp
+++ b/JavaScriptCore/wtf/text/StringImpl.cpp
@@ -81,7 +81,7 @@ PassRefPtr<StringImpl> StringImpl::createUninitialized(unsigned length, UChar*&
     // Allocate a single buffer large enough to contain the StringImpl
     // struct as well as the data which it contains. This removes one 
     // heap allocation from this call.
-    if (length > ((std::numeric_limits<size_t>::max() - sizeof(StringImpl)) / sizeof(UChar)))
+    if (length > ((std::numeric_limits<unsigned>::max() - sizeof(StringImpl)) / sizeof(UChar)))
         CRASH();
     size_t size = sizeof(StringImpl) + length * sizeof(UChar);
     StringImpl* string = static_cast<StringImpl*>(fastMalloc(size));
diff --git a/JavaScriptCore/wtf/text/StringImpl.h b/JavaScriptCore/wtf/text/StringImpl.h
index 7025d9f..4dce56f 100644
--- a/JavaScriptCore/wtf/text/StringImpl.h
+++ b/JavaScriptCore/wtf/text/StringImpl.h
@@ -165,7 +165,7 @@ public:
             return empty();
         }
 
-        if (length > ((std::numeric_limits<size_t>::max() - sizeof(StringImpl)) / sizeof(UChar))) {
+        if (length > ((std::numeric_limits<unsigned>::max() - sizeof(StringImpl)) / sizeof(UChar))) {
             output = 0;
             return 0;
         }
@@ -187,6 +187,8 @@ public:
     {
         if (size_t size = vector.size()) {
             ASSERT(vector.data());
+            if (size > std::numeric_limits<unsigned>::max())
+                CRASH();
             return adoptRef(new StringImpl(vector.releaseBuffer(), size));
         }
         return empty();
diff --git a/JavaScriptCore/wtf/text/WTFString.cpp b/JavaScriptCore/wtf/text/WTFString.cpp
index 9b53e81..5161477 100644
--- a/JavaScriptCore/wtf/text/WTFString.cpp
+++ b/JavaScriptCore/wtf/text/WTFString.cpp
@@ -48,9 +48,12 @@ String::String(const UChar* str)
     if (!str)
         return;
         
-    int len = 0;
+    size_t len = 0;
     while (str[len] != UChar(0))
         len++;
+
+    if (len > std::numeric_limits<unsigned>::max())
+        CRASH();
     
     m_impl = StringImpl::create(str, len);
 }
@@ -175,6 +178,8 @@ void String::append(const UChar* charactersToAppend, unsigned lengthToAppend)
 
     ASSERT(charactersToAppend);
     UChar* data;
+    if (lengthToAppend > std::numeric_limits<unsigned>::max() - length())
+        CRASH();
     RefPtr<StringImpl> newImpl =
         StringImpl::createUninitialized(length() + lengthToAppend, data);
     memcpy(data, characters(), length() * sizeof(UChar));
@@ -196,6 +201,8 @@ void String::insert(const UChar* charactersToInsert, unsigned lengthToInsert, un
 
     ASSERT(charactersToInsert);
     UChar* data;
+    if (lengthToInsert > std::numeric_limits<unsigned>::max() - length())
+        CRASH();
     RefPtr<StringImpl> newImpl =
       StringImpl::createUninitialized(length() + lengthToInsert, data);
     memcpy(data, characters(), position * sizeof(UChar));
@@ -718,6 +725,9 @@ CString String::utf8(bool strict) const
 
 String String::fromUTF8(const char* stringStart, size_t length)
 {
+    if (length > std::numeric_limits<unsigned>::max())
+        CRASH();
+
     if (!stringStart)
         return String();
 

-- 
WebKit Debian packaging

