[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

Wed Dec 22 15:46:12 UTC 2010

The following commit has been merged in the debian/experimental branch:
commit 3cccda7c7f6f5d050837c474dc86a0c1a988250f
Author: darin at apple.com <darin at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Nov 12 01:01:14 2010 +0000

    2010-11-11  Darin Adler  <darin at apple.com>
    
            Reviewed by Sam Weinig.
    
            Harden some string functions against large lengths
            https://bugs.webkit.org/show_bug.cgi?id=49293
    
            * wtf/text/StringImpl.cpp:
            (WTF::StringImpl::create): Fix incorrect use of PassRefPtr. Check for
            strlen results that are too large for StringImpl.
            (WTF::StringImpl::lower): Check for lengths that are too large for
            int32_t.
            (WTF::StringImpl::upper): Fix incorrect use of PassRefPtr. Check for
            lengths that are too large for int32_t.
            (WTF::StringImpl::secure): Fix incorect use of PassRefPtr. Use unsigned
            rather than int and int32_t so we can handle any length.
            (WTF::StringImpl::foldCase): Fix incorrect use of PassRefPtr. Check for
            lengths that are too large for int32_t.
            (WTF::StringImpl::find): Check for strlen results that are too large for
            StringImpl.
            (WTF::StringImpl::findIgnoringCase): Ditto.
            (WTF::StringImpl::replace): Fix incorrect use of PassRefPtr.
            (WTF::StringImpl::createWithTerminatingNullCharacter): Check before
            incrementing length.
    2010-11-11  Darin Adler  <darin at apple.com>
    
            Reviewed by Sam Weinig.
    
            Harden some string functions against large lengths
            https://bugs.webkit.org/show_bug.cgi?id=49293
    
            * rendering/RenderText.cpp:
            (WebCore::makeCapitalized): Check before incrementing length.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71867 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 73a19ef..bc8b45c 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,28 @@
+2010-11-11  Darin Adler  <darin at apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Harden some string functions against large lengths
+        https://bugs.webkit.org/show_bug.cgi?id=49293
+
+        * wtf/text/StringImpl.cpp:
+        (WTF::StringImpl::create): Fix incorrect use of PassRefPtr. Check for
+        strlen results that are too large for StringImpl.
+        (WTF::StringImpl::lower): Check for lengths that are too large for
+        int32_t.
+        (WTF::StringImpl::upper): Fix incorrect use of PassRefPtr. Check for
+        lengths that are too large for int32_t.
+        (WTF::StringImpl::secure): Fix incorect use of PassRefPtr. Use unsigned
+        rather than int and int32_t so we can handle any length.
+        (WTF::StringImpl::foldCase): Fix incorrect use of PassRefPtr. Check for
+        lengths that are too large for int32_t.
+        (WTF::StringImpl::find): Check for strlen results that are too large for
+        StringImpl.
+        (WTF::StringImpl::findIgnoringCase): Ditto.
+        (WTF::StringImpl::replace): Fix incorrect use of PassRefPtr.
+        (WTF::StringImpl::createWithTerminatingNullCharacter): Check before
+        incrementing length.
+
 2010-11-11  Dan Horák  <dan at danny.cz>
 
         Reviewed by Andreas Kling.
diff --git a/JavaScriptCore/wtf/text/StringImpl.cpp b/JavaScriptCore/wtf/text/StringImpl.cpp
index f4b2f05..1c4de66 100644
--- a/JavaScriptCore/wtf/text/StringImpl.cpp
+++ b/JavaScriptCore/wtf/text/StringImpl.cpp
@@ -96,9 +96,9 @@ PassRefPtr<StringImpl> StringImpl::create(const UChar* characters, unsigned leng
         return empty();
 
     UChar* data;
-    PassRefPtr<StringImpl> string = createUninitialized(length, data);
+    RefPtr<StringImpl> string = createUninitialized(length, data);
     memcpy(data, characters, length * sizeof(UChar));
-    return string;
+    return string.release();
 }
 
 PassRefPtr<StringImpl> StringImpl::create(const char* characters, unsigned length)
@@ -107,19 +107,22 @@ PassRefPtr<StringImpl> StringImpl::create(const char* characters, unsigned lengt
         return empty();
 
     UChar* data;
-    PassRefPtr<StringImpl> string = createUninitialized(length, data);
+    RefPtr<StringImpl> string = createUninitialized(length, data);
     for (unsigned i = 0; i != length; ++i) {
         unsigned char c = characters[i];
         data[i] = c;
     }
-    return string;
+    return string.release();
 }
 
 PassRefPtr<StringImpl> StringImpl::create(const char* string)
 {
     if (!string)
         return empty();
-    return create(string, strlen(string));
+    size_t length = strlen(string);
+    if (length > numeric_limits<unsigned>::max())
+        CRASH();
+    return create(string, length);
 }
 
 PassRefPtr<StringImpl> StringImpl::create(const UChar* characters, unsigned length, PassRefPtr<SharedUChar> sharedBuffer)
@@ -205,7 +208,10 @@ PassRefPtr<StringImpl> StringImpl::lower()
     if (noUpper && !(ored & ~0x7F))
         return this;
 
+    if (m_length > static_cast<unsigned>(numeric_limits<int32_t>::max()))
+        CRASH();
     int32_t length = m_length;
+
     UChar* data;
     RefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
 
@@ -236,7 +242,10 @@ PassRefPtr<StringImpl> StringImpl::upper()
     // but in empirical testing, few actual calls to upper() are no-ops, so
     // it wouldn't be worth the extra time for pre-scanning.
     UChar* data;
-    PassRefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+    RefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+
+    if (m_length > static_cast<unsigned>(numeric_limits<int32_t>::max()))
+        CRASH();
     int32_t length = m_length;
 
     // Do a faster loop for the case where all the characters are ASCII.
@@ -247,7 +256,7 @@ PassRefPtr<StringImpl> StringImpl::upper()
         data[i] = toASCIIUpper(c);
     }
     if (!(ored & ~0x7F))
-        return newImpl;
+        return newImpl.release();
 
     // Do a slower implementation for cases that include non-ASCII characters.
     bool error;
@@ -258,45 +267,47 @@ PassRefPtr<StringImpl> StringImpl::upper()
     Unicode::toUpper(data, realLength, m_data, m_length, &error);
     if (error)
         return this;
-    return newImpl;
+    return newImpl.release();
 }
 
-PassRefPtr<StringImpl> StringImpl::secure(UChar aChar)
+PassRefPtr<StringImpl> StringImpl::secure(UChar character)
 {
     UChar* data;
-    PassRefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
-    int32_t length = m_length;
-    for (int i = 0; i < length; ++i)
-        data[i] = aChar;
-    return newImpl;
+    RefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+    for (unsigned i = 0; i < m_length; ++i)
+        data[i] = character;
+    return newImpl.release();
 }
 
 PassRefPtr<StringImpl> StringImpl::foldCase()
 {
     UChar* data;
-    PassRefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+    RefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+
+    if (m_length > static_cast<unsigned>(numeric_limits<int32_t>::max()))
+        CRASH();
     int32_t length = m_length;
 
     // Do a faster loop for the case where all the characters are ASCII.
     UChar ored = 0;
-    for (int i = 0; i < length; i++) {
+    for (int32_t i = 0; i < length; i++) {
         UChar c = m_data[i];
         ored |= c;
         data[i] = toASCIILower(c);
     }
     if (!(ored & ~0x7F))
-        return newImpl;
+        return newImpl.release();
 
     // Do a slower implementation for cases that include non-ASCII characters.
     bool error;
     int32_t realLength = Unicode::foldCase(data, length, m_data, m_length, &error);
     if (!error && realLength == length)
-        return newImpl;
+        return newImpl.release();
     newImpl = createUninitialized(realLength, data);
     Unicode::foldCase(data, realLength, m_data, m_length, &error);
     if (error)
         return this;
-    return newImpl;
+    return newImpl.release();
 }
 
 PassRefPtr<StringImpl> StringImpl::stripWhiteSpace()
@@ -517,7 +528,10 @@ size_t StringImpl::find(const char* matchString, unsigned index)
     // Check for null or empty string to match against
     if (!matchString)
         return notFound;
-    unsigned matchLength = strlen(matchString);
+    size_t matchStringLength = strlen(matchString);
+    if (matchStringLength > numeric_limits<unsigned>::max())
+        CRASH();
+    unsigned matchLength = matchStringLength;
     if (!matchLength)
         return min(index, length());
 
@@ -563,7 +577,10 @@ size_t StringImpl::findIgnoringCase(const char* matchString, unsigned index)
     // Check for null or empty string to match against
     if (!matchString)
         return notFound;
-    unsigned matchLength = strlen(matchString);
+    size_t matchStringLength = strlen(matchString);
+    if (matchStringLength > numeric_limits<unsigned>::max())
+        CRASH();
+    unsigned matchLength = matchStringLength;
     if (!matchLength)
         return min(index, length());
 
@@ -761,7 +778,7 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar oldC, UChar newC)
         return this;
 
     UChar* data;
-    PassRefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
+    RefPtr<StringImpl> newImpl = createUninitialized(m_length, data);
 
     for (i = 0; i != m_length; ++i) {
         UChar ch = m_data[i];
@@ -769,7 +786,7 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar oldC, UChar newC)
             ch = newC;
         data[i] = ch;
     }
-    return newImpl;
+    return newImpl.release();
 }
 
 PassRefPtr<StringImpl> StringImpl::replace(unsigned position, unsigned lengthToReplace, StringImpl* str)
@@ -784,14 +801,14 @@ PassRefPtr<StringImpl> StringImpl::replace(unsigned position, unsigned lengthToR
     if ((length() - lengthToReplace) >= (numeric_limits<unsigned>::max() - lengthToInsert))
         CRASH();
 
-    PassRefPtr<StringImpl> newImpl =
+    RefPtr<StringImpl> newImpl =
         createUninitialized(length() - lengthToReplace + lengthToInsert, data);
     memcpy(data, characters(), position * sizeof(UChar));
     if (str)
         memcpy(data + position, str->characters(), lengthToInsert * sizeof(UChar));
     memcpy(data + position + lengthToInsert, characters() + position + lengthToReplace,
         (length() - position - lengthToReplace) * sizeof(UChar));
-    return newImpl;
+    return newImpl.release();
 }
 
 PassRefPtr<StringImpl> StringImpl::replace(UChar pattern, StringImpl* replacement)
@@ -824,7 +841,7 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar pattern, StringImpl* replacemen
     newSize += replaceSize;
 
     UChar* data;
-    PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
+    RefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
 
     // Construct the new data
     size_t srcSegmentEnd;
@@ -846,7 +863,7 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar pattern, StringImpl* replacemen
 
     ASSERT(dstOffset + srcSegmentLength == newImpl->length());
 
-    return newImpl;
+    return newImpl.release();
 }
 
 PassRefPtr<StringImpl> StringImpl::replace(StringImpl* pattern, StringImpl* replacement)
@@ -882,7 +899,7 @@ PassRefPtr<StringImpl> StringImpl::replace(StringImpl* pattern, StringImpl* repl
     newSize += matchCount * repStrLength;
 
     UChar* data;
-    PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
+    RefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
     
     // Construct the new data
     size_t srcSegmentEnd;
@@ -904,7 +921,7 @@ PassRefPtr<StringImpl> StringImpl::replace(StringImpl* pattern, StringImpl* repl
 
     ASSERT(dstOffset + srcSegmentLength == newImpl->length());
 
-    return newImpl;
+    return newImpl.release();
 }
 
 bool equal(const StringImpl* a, const StringImpl* b)
@@ -1020,9 +1037,11 @@ PassRefPtr<StringImpl> StringImpl::adopt(StringBuffer& buffer)
 PassRefPtr<StringImpl> StringImpl::createWithTerminatingNullCharacter(const StringImpl& string)
 {
     // Use createUninitialized instead of 'new StringImpl' so that the string and its buffer
-    // get allocated in a single malloc block.
+    // get allocated in a single memory block.
     UChar* data;
-    int length = string.m_length;
+    unsigned length = string.m_length;
+    if (length >= numeric_limits<unsigned>::max())
+        CRASH();
     RefPtr<StringImpl> terminatedString = createUninitialized(length + 1, data);
     memcpy(data, string.m_data, length * sizeof(UChar));
     data[length] = 0;
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 10a5c7c..2bea384 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,13 @@
+2010-11-11  Darin Adler  <darin at apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Harden some string functions against large lengths
+        https://bugs.webkit.org/show_bug.cgi?id=49293
+
+        * rendering/RenderText.cpp:
+        (WebCore::makeCapitalized): Check before incrementing length.
+
 2010-11-10  Zhenyao Mo  <zmo at google.com>
 
         Reviewed by Kenneth Russell.
diff --git a/WebCore/rendering/RenderText.cpp b/WebCore/rendering/RenderText.cpp
index 551c429..7635d07 100644
--- a/WebCore/rendering/RenderText.cpp
+++ b/WebCore/rendering/RenderText.cpp
@@ -59,6 +59,9 @@ static void makeCapitalized(String* string, UChar previous)
     unsigned length = string->length();
     const UChar* characters = string->characters();
 
+    if (length >= numeric_limits<unsigned>::max())
+        CRASH();
+
     StringBuffer stringWithPrevious(length + 1);
     stringWithPrevious[0] = previous == noBreakSpace ? ' ' : previous;
     for (unsigned i = 1; i < length + 1; i++) {

-- 
WebKit Debian packaging

