[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
darin at apple.com
darin at apple.com
Wed Dec 22 15:46:12 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 3cccda7c7f6f5d050837c474dc86a0c1a988250f
Author: darin at apple.com <darin at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Nov 12 01:01:14 2010 +0000
2010-11-11 Darin Adler <darin at apple.com>
Reviewed by Sam Weinig.
Harden some string functions against large lengths
https://bugs.webkit.org/show_bug.cgi?id=49293
* wtf/text/StringImpl.cpp:
(WTF::StringImpl::create): Fix incorrect use of PassRefPtr. Check for
strlen results that are too large for StringImpl.
(WTF::StringImpl::lower): Check for lengths that are too large for
int32_t.
(WTF::StringImpl::upper): Fix incorrect use of PassRefPtr. Check for
lengths that are too large for int32_t.
(WTF::StringImpl::secure): Fix incorect use of PassRefPtr. Use unsigned
rather than int and int32_t so we can handle any length.
(WTF::StringImpl::foldCase): Fix incorrect use of PassRefPtr. Check for
lengths that are too large for int32_t.
(WTF::StringImpl::find): Check for strlen results that are too large for
StringImpl.
(WTF::StringImpl::findIgnoringCase): Ditto.
(WTF::StringImpl::replace): Fix incorrect use of PassRefPtr.
(WTF::StringImpl::createWithTerminatingNullCharacter): Check before
incrementing length.
2010-11-11 Darin Adler <darin at apple.com>
Reviewed by Sam Weinig.
Harden some string functions against large lengths
https://bugs.webkit.org/show_bug.cgi?id=49293
* rendering/RenderText.cpp:
(WebCore::makeCapitalized): Check before incrementing length.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71867 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 73a19ef..bc8b45c 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,28 @@
+2010-11-11 Darin Adler <darin at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Harden some string functions against large lengths
+ https://bugs.webkit.org/show_bug.cgi?id=49293
+
+ * wtf/text/StringImpl.cpp:
+ (WTF::StringImpl::create): Fix incorrect use of PassRefPtr. Check for
+ strlen results that are too large for StringImpl.
+ (WTF::StringImpl::lower): Check for lengths that are too large for
+ int32_t.
+ (WTF::StringImpl::upper): Fix incorrect use of PassRefPtr. Check for
+ lengths that are too large for int32_t.
+ (WTF::StringImpl::secure): Fix incorect use of PassRefPtr. Use unsigned
+ rather than int and int32_t so we can handle any length.
+ (WTF::StringImpl::foldCase): Fix incorrect use of PassRefPtr. Check for
+ lengths that are too large for int32_t.
+ (WTF::StringImpl::find): Check for strlen results that are too large for
+ StringImpl.
+ (WTF::StringImpl::findIgnoringCase): Ditto.
+ (WTF::StringImpl::replace): Fix incorrect use of PassRefPtr.
+ (WTF::StringImpl::createWithTerminatingNullCharacter): Check before
+ incrementing length.
+
2010-11-11 Dan Horák <dan at danny.cz>
Reviewed by Andreas Kling.
diff --git a/JavaScriptCore/wtf/text/StringImpl.cpp b/JavaScriptCore/wtf/text/StringImpl.cpp
index f4b2f05..1c4de66 100644
--- a/JavaScriptCore/wtf/text/StringImpl.cpp
+++ b/JavaScriptCore/wtf/text/StringImpl.cpp
@@ -96,9 +96,9 @@ PassRefPtr<StringImpl> StringImpl::create(const UChar* characters, unsigned leng
return empty();
UChar* data;
- PassRefPtr<StringImpl> string = createUninitialized(length, data);
+ RefPtr<StringImpl> string = createUninitialized(length, data);
memcpy(data, characters, length * sizeof(UChar));
- return string;
+ return string.release();
}
PassRefPtr<StringImpl> StringImpl::create(const char* characters, unsigned length)
@@ -107,19 +107,22 @@ PassRefPtr<StringImpl> StringImpl::create(const char* characters, unsigned lengt
return empty();
UChar* data;
- PassRefPtr<StringImpl> string = createUninitialized(length, data);
+ RefPtr<StringImpl> string = createUninitialized(length, data);
for (unsigned i = 0; i != length; ++i) {
unsigned char c = characters[i];
data[i] = c;
}
- return string;
+ return string.release();
}
PassRefPtr<StringImpl> StringImpl::create(const char* string)
{
if (!string)
return empty();
- return create(string, strlen(string));
+ size_t length = strlen(string);
+ if (length > numeric_limits<unsigned>::max())
+ CRASH();
+ return create(string, length);
}
PassRefPtr<StringImpl> StringImpl::create(const UChar* characters, unsigned length, PassRefPtr<SharedUChar> sharedBuffer)
@@ -205,7 +208,10 @@ PassRefPtr<StringImpl> StringImpl::lower()
if (noUpper && !(ored & ~0x7F))
return this;
+ if (m_length > static_cast<unsigned>(numeric_limits<int32_t>::max()))
+ CRASH();
int32_t length = m_length;
+
UChar* data;
RefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
@@ -236,7 +242,10 @@ PassRefPtr<StringImpl> StringImpl::upper()
// but in empirical testing, few actual calls to upper() are no-ops, so
// it wouldn't be worth the extra time for pre-scanning.
UChar* data;
- PassRefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+ RefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+
+ if (m_length > static_cast<unsigned>(numeric_limits<int32_t>::max()))
+ CRASH();
int32_t length = m_length;
// Do a faster loop for the case where all the characters are ASCII.
@@ -247,7 +256,7 @@ PassRefPtr<StringImpl> StringImpl::upper()
data[i] = toASCIIUpper(c);
}
if (!(ored & ~0x7F))
- return newImpl;
+ return newImpl.release();
// Do a slower implementation for cases that include non-ASCII characters.
bool error;
@@ -258,45 +267,47 @@ PassRefPtr<StringImpl> StringImpl::upper()
Unicode::toUpper(data, realLength, m_data, m_length, &error);
if (error)
return this;
- return newImpl;
+ return newImpl.release();
}
-PassRefPtr<StringImpl> StringImpl::secure(UChar aChar)
+PassRefPtr<StringImpl> StringImpl::secure(UChar character)
{
UChar* data;
- PassRefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
- int32_t length = m_length;
- for (int i = 0; i < length; ++i)
- data[i] = aChar;
- return newImpl;
+ RefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+ for (unsigned i = 0; i < m_length; ++i)
+ data[i] = character;
+ return newImpl.release();
}
PassRefPtr<StringImpl> StringImpl::foldCase()
{
UChar* data;
- PassRefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+ RefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+
+ if (m_length > static_cast<unsigned>(numeric_limits<int32_t>::max()))
+ CRASH();
int32_t length = m_length;
// Do a faster loop for the case where all the characters are ASCII.
UChar ored = 0;
- for (int i = 0; i < length; i++) {
+ for (int32_t i = 0; i < length; i++) {
UChar c = m_data[i];
ored |= c;
data[i] = toASCIILower(c);
}
if (!(ored & ~0x7F))
- return newImpl;
+ return newImpl.release();
// Do a slower implementation for cases that include non-ASCII characters.
bool error;
int32_t realLength = Unicode::foldCase(data, length, m_data, m_length, &error);
if (!error && realLength == length)
- return newImpl;
+ return newImpl.release();
newImpl = createUninitialized(realLength, data);
Unicode::foldCase(data, realLength, m_data, m_length, &error);
if (error)
return this;
- return newImpl;
+ return newImpl.release();
}
PassRefPtr<StringImpl> StringImpl::stripWhiteSpace()
@@ -517,7 +528,10 @@ size_t StringImpl::find(const char* matchString, unsigned index)
// Check for null or empty string to match against
if (!matchString)
return notFound;
- unsigned matchLength = strlen(matchString);
+ size_t matchStringLength = strlen(matchString);
+ if (matchStringLength > numeric_limits<unsigned>::max())
+ CRASH();
+ unsigned matchLength = matchStringLength;
if (!matchLength)
return min(index, length());
@@ -563,7 +577,10 @@ size_t StringImpl::findIgnoringCase(const char* matchString, unsigned index)
// Check for null or empty string to match against
if (!matchString)
return notFound;
- unsigned matchLength = strlen(matchString);
+ size_t matchStringLength = strlen(matchString);
+ if (matchStringLength > numeric_limits<unsigned>::max())
+ CRASH();
+ unsigned matchLength = matchStringLength;
if (!matchLength)
return min(index, length());
@@ -761,7 +778,7 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar oldC, UChar newC)
return this;
UChar* data;
- PassRefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+ RefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
for (i = 0; i != m_length; ++i) {
UChar ch = m_data[i];
@@ -769,7 +786,7 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar oldC, UChar newC)
ch = newC;
data[i] = ch;
}
- return newImpl;
+ return newImpl.release();
}
PassRefPtr<StringImpl> StringImpl::replace(unsigned position, unsigned lengthToReplace, StringImpl* str)
@@ -784,14 +801,14 @@ PassRefPtr<StringImpl> StringImpl::replace(unsigned position, unsigned lengthToR
if ((length() - lengthToReplace) >= (numeric_limits<unsigned>::max() - lengthToInsert))
CRASH();
- PassRefPtr<StringImpl> newImpl =
+ RefPtr<StringImpl> newImpl =
createUninitialized(length() - lengthToReplace + lengthToInsert, data);
memcpy(data, characters(), position * sizeof(UChar));
if (str)
memcpy(data + position, str->characters(), lengthToInsert * sizeof(UChar));
memcpy(data + position + lengthToInsert, characters() + position + lengthToReplace,
(length() - position - lengthToReplace) * sizeof(UChar));
- return newImpl;
+ return newImpl.release();
}
PassRefPtr<StringImpl> StringImpl::replace(UChar pattern, StringImpl* replacement)
@@ -824,7 +841,7 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar pattern, StringImpl* replacemen
newSize += replaceSize;
UChar* data;
- PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
+ RefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
// Construct the new data
size_t srcSegmentEnd;
@@ -846,7 +863,7 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar pattern, StringImpl* replacemen
ASSERT(dstOffset + srcSegmentLength == newImpl->length());
- return newImpl;
+ return newImpl.release();
}
PassRefPtr<StringImpl> StringImpl::replace(StringImpl* pattern, StringImpl* replacement)
@@ -882,7 +899,7 @@ PassRefPtr<StringImpl> StringImpl::replace(StringImpl* pattern, StringImpl* repl
newSize += matchCount * repStrLength;
UChar* data;
- PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
+ RefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
// Construct the new data
size_t srcSegmentEnd;
@@ -904,7 +921,7 @@ PassRefPtr<StringImpl> StringImpl::replace(StringImpl* pattern, StringImpl* repl
ASSERT(dstOffset + srcSegmentLength == newImpl->length());
- return newImpl;
+ return newImpl.release();
}
bool equal(const StringImpl* a, const StringImpl* b)
@@ -1020,9 +1037,11 @@ PassRefPtr<StringImpl> StringImpl::adopt(StringBuffer& buffer)
PassRefPtr<StringImpl> StringImpl::createWithTerminatingNullCharacter(const StringImpl& string)
{
// Use createUninitialized instead of 'new StringImpl' so that the string and its buffer
- // get allocated in a single malloc block.
+ // get allocated in a single memory block.
UChar* data;
- int length = string.m_length;
+ unsigned length = string.m_length;
+ if (length >= numeric_limits<unsigned>::max())
+ CRASH();
RefPtr<StringImpl> terminatedString = createUninitialized(length + 1, data);
memcpy(data, string.m_data, length * sizeof(UChar));
data[length] = 0;
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 10a5c7c..2bea384 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,13 @@
+2010-11-11 Darin Adler <darin at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Harden some string functions against large lengths
+ https://bugs.webkit.org/show_bug.cgi?id=49293
+
+ * rendering/RenderText.cpp:
+ (WebCore::makeCapitalized): Check before incrementing length.
+
2010-11-10 Zhenyao Mo <zmo at google.com>
Reviewed by Kenneth Russell.
diff --git a/WebCore/rendering/RenderText.cpp b/WebCore/rendering/RenderText.cpp
index 551c429..7635d07 100644
--- a/WebCore/rendering/RenderText.cpp
+++ b/WebCore/rendering/RenderText.cpp
@@ -59,6 +59,9 @@ static void makeCapitalized(String* string, UChar previous)
unsigned length = string->length();
const UChar* characters = string->characters();
+ if (length >= numeric_limits<unsigned>::max())
+ CRASH();
+
StringBuffer stringWithPrevious(length + 1);
stringWithPrevious[0] = previous == noBreakSpace ? ' ' : previous;
for (unsigned i = 1; i < length + 1; i++) {
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list