[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
darin at apple.com
darin at apple.com
Wed Dec 22 15:55:18 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 87653130c3e375949990e35c6d1986ea51589726
Author: darin at apple.com <darin at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Nov 16 18:04:52 2010 +0000
2010-11-15 Darin Adler <darin at apple.com>
Reviewed by Sam Weinig.
Harden additional string functions against large lengths
https://bugs.webkit.org/show_bug.cgi?id=49574
* wtf/text/CString.cpp:
(WTF::CString::init): Check for length that is too large for CString.
(WTF::CString::newUninitialized): Ditto.
(WTF::CString::copyBufferIfNeeded): Fix types so the length stays
in a size_t.
* wtf/text/WTFString.cpp:
(WTF::String::append): Check for length that is too large.
2010-11-15 Darin Adler <darin at apple.com>
Reviewed by Sam Weinig.
Harden additional string functions against large lengths
https://bugs.webkit.org/show_bug.cgi?id=49574
* platform/text/TextCodecUTF16.cpp:
(WebCore::TextCodecUTF16::encode): Check for length that is
too large for size_t.
* platform/text/TextStream.cpp:
(WebCore::TextStream::operator<<): Check for length that is
too large for size_t.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@72114 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 170a42b..1f690bc 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,19 @@
+2010-11-15 Darin Adler <darin at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Harden additional string functions against large lengths
+ https://bugs.webkit.org/show_bug.cgi?id=49574
+
+ * wtf/text/CString.cpp:
+ (WTF::CString::init): Check for length that is too large for CString.
+ (WTF::CString::newUninitialized): Ditto.
+ (WTF::CString::copyBufferIfNeeded): Fix types so the length stays
+ in a size_t.
+
+ * wtf/text/WTFString.cpp:
+ (WTF::String::append): Check for length that is too large.
+
2010-11-15 Gavin Barraclough <barraclough at apple.com>
Reviewed by Sam Weinig.
diff --git a/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj b/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
index a1e1c5c..b40d74e 100644
--- a/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
+++ b/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
@@ -2446,6 +2446,7 @@
isa = PBXProject;
buildConfigurationList = 149C277108902AFE008A9EFC /* Build configuration list for PBXProject "JavaScriptCore" */;
compatibilityVersion = "Xcode 2.4";
+ developmentRegion = English;
hasScannedForEncodings = 1;
knownRegions = (
English,
diff --git a/JavaScriptCore/wtf/text/CString.cpp b/JavaScriptCore/wtf/text/CString.cpp
index 2b78bf8..db6443f 100644
--- a/JavaScriptCore/wtf/text/CString.cpp
+++ b/JavaScriptCore/wtf/text/CString.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2003, 2006, 2008, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2003, 2006, 2008, 2009, 2010 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,7 +27,7 @@
#include "config.h"
#include "CString.h"
-using std::min;
+using namespace std;
namespace WTF {
@@ -48,7 +48,10 @@ void CString::init(const char* str, size_t length)
{
if (!str)
return;
-
+
+ if (length >= numeric_limits<size_t>::max())
+ CRASH();
+
m_buffer = CStringBuffer::create(length + 1);
memcpy(m_buffer->mutableData(), str, length);
m_buffer->mutableData()[length] = '\0';
@@ -64,6 +67,9 @@ char* CString::mutableData()
CString CString::newUninitialized(size_t length, char*& characterBuffer)
{
+ if (length >= numeric_limits<size_t>::max())
+ CRASH();
+
CString result;
result.m_buffer = CStringBuffer::create(length + 1);
char* bytes = result.m_buffer->mutableData();
@@ -76,11 +82,11 @@ void CString::copyBufferIfNeeded()
{
if (!m_buffer || m_buffer->hasOneRef())
return;
-
- int len = m_buffer->length();
- RefPtr<CStringBuffer> m_temp = m_buffer;
- m_buffer = CStringBuffer::create(len);
- memcpy(m_buffer->mutableData(), m_temp->data(), len);
+
+ RefPtr<CStringBuffer> buffer = m_buffer.release();
+ size_t length = buffer->length();
+ m_buffer = CStringBuffer::create(length);
+ memcpy(m_buffer->mutableData(), buffer->data(), length);
}
bool operator==(const CString& a, const CString& b)
diff --git a/JavaScriptCore/wtf/text/WTFString.cpp b/JavaScriptCore/wtf/text/WTFString.cpp
index 5161477..75ea42d 100644
--- a/JavaScriptCore/wtf/text/WTFString.cpp
+++ b/JavaScriptCore/wtf/text/WTFString.cpp
@@ -1,6 +1,6 @@
/*
* (C) 1999 Lars Knoll (knoll at kde.org)
- * Copyright (C) 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2010 Apple Inc. All rights reserved.
* Copyright (C) 2007-2009 Torch Mobile, Inc.
*
* This library is free software; you can redistribute it and/or
@@ -22,7 +22,6 @@
#include "config.h"
#include "WTFString.h"
-#include <limits>
#include <stdarg.h>
#include <wtf/ASCIICType.h>
#include <wtf/text/CString.h>
@@ -32,6 +31,8 @@
#include <wtf/unicode/UTF8.h>
#include <wtf/unicode/Unicode.h>
+using namespace std;
+
namespace WTF {
using namespace Unicode;
@@ -52,7 +53,7 @@ String::String(const UChar* str)
while (str[len] != UChar(0))
len++;
- if (len > std::numeric_limits<unsigned>::max())
+ if (len > numeric_limits<unsigned>::max())
CRASH();
m_impl = StringImpl::create(str, len);
@@ -82,8 +83,9 @@ void String::append(const String& str)
if (str.m_impl) {
if (m_impl) {
UChar* data;
- RefPtr<StringImpl> newImpl =
- StringImpl::createUninitialized(m_impl->length() + str.length(), data);
+ if (str.length() > numeric_limits<unsigned>::max() - m_impl->length())
+ CRASH();
+ RefPtr<StringImpl> newImpl = StringImpl::createUninitialized(m_impl->length() + str.length(), data);
memcpy(data, m_impl->characters(), m_impl->length() * sizeof(UChar));
memcpy(data + m_impl->length(), str.characters(), str.length() * sizeof(UChar));
m_impl = newImpl.release();
@@ -100,8 +102,9 @@ void String::append(char c)
// call to fastMalloc every single time.
if (m_impl) {
UChar* data;
- RefPtr<StringImpl> newImpl =
- StringImpl::createUninitialized(m_impl->length() + 1, data);
+ if (m_impl->length() >= numeric_limits<unsigned>::max())
+ CRASH();
+ RefPtr<StringImpl> newImpl = StringImpl::createUninitialized(m_impl->length() + 1, data);
memcpy(data, m_impl->characters(), m_impl->length() * sizeof(UChar));
data[m_impl->length()] = c;
m_impl = newImpl.release();
@@ -117,8 +120,9 @@ void String::append(UChar c)
// call to fastMalloc every single time.
if (m_impl) {
UChar* data;
- RefPtr<StringImpl> newImpl =
- StringImpl::createUninitialized(m_impl->length() + 1, data);
+ if (m_impl->length() >= numeric_limits<unsigned>::max())
+ CRASH();
+ RefPtr<StringImpl> newImpl = StringImpl::createUninitialized(m_impl->length() + 1, data);
memcpy(data, m_impl->characters(), m_impl->length() * sizeof(UChar));
data[m_impl->length()] = c;
m_impl = newImpl.release();
@@ -178,10 +182,9 @@ void String::append(const UChar* charactersToAppend, unsigned lengthToAppend)
ASSERT(charactersToAppend);
UChar* data;
- if (lengthToAppend > std::numeric_limits<unsigned>::max() - length())
+ if (lengthToAppend > numeric_limits<unsigned>::max() - length())
CRASH();
- RefPtr<StringImpl> newImpl =
- StringImpl::createUninitialized(length() + lengthToAppend, data);
+ RefPtr<StringImpl> newImpl = StringImpl::createUninitialized(length() + lengthToAppend, data);
memcpy(data, characters(), length() * sizeof(UChar));
memcpy(data + length(), charactersToAppend, lengthToAppend * sizeof(UChar));
m_impl = newImpl.release();
@@ -201,10 +204,9 @@ void String::insert(const UChar* charactersToInsert, unsigned lengthToInsert, un
ASSERT(charactersToInsert);
UChar* data;
- if (lengthToInsert > std::numeric_limits<unsigned>::max() - length())
+ if (lengthToInsert > numeric_limits<unsigned>::max() - length())
CRASH();
- RefPtr<StringImpl> newImpl =
- StringImpl::createUninitialized(length() + lengthToInsert, data);
+ RefPtr<StringImpl> newImpl = StringImpl::createUninitialized(length() + lengthToInsert, data);
memcpy(data, characters(), position * sizeof(UChar));
memcpy(data + position, charactersToInsert, lengthToInsert * sizeof(UChar));
memcpy(data + position + lengthToInsert, characters() + position, (length() - position) * sizeof(UChar));
@@ -237,8 +239,7 @@ void String::remove(unsigned position, int lengthToRemove)
if (static_cast<unsigned>(lengthToRemove) > length() - position)
lengthToRemove = length() - position;
UChar* data;
- RefPtr<StringImpl> newImpl =
- StringImpl::createUninitialized(length() - lengthToRemove, data);
+ RefPtr<StringImpl> newImpl = StringImpl::createUninitialized(length() - lengthToRemove, data);
memcpy(data, characters(), position * sizeof(UChar));
memcpy(data + position, characters() + position + lengthToRemove,
(length() - lengthToRemove - position) * sizeof(UChar));
@@ -725,7 +726,7 @@ CString String::utf8(bool strict) const
String String::fromUTF8(const char* stringStart, size_t length)
{
- if (length > std::numeric_limits<unsigned>::max())
+ if (length > numeric_limits<unsigned>::max())
CRASH();
if (!stringStart)
@@ -787,8 +788,8 @@ static bool isCharacterAllowedInBase(UChar c, int base)
template <typename IntegralType>
static inline IntegralType toIntegralType(const UChar* data, size_t length, bool* ok, int base)
{
- static const IntegralType integralMax = std::numeric_limits<IntegralType>::max();
- static const bool isSigned = std::numeric_limits<IntegralType>::is_signed;
+ static const IntegralType integralMax = numeric_limits<IntegralType>::max();
+ static const bool isSigned = numeric_limits<IntegralType>::is_signed;
const IntegralType maxMultiplier = integralMax / base;
IntegralType value = 0;
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index a03f129..ef4e476 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-11-15 Darin Adler <darin at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Harden additional string functions against large lengths
+ https://bugs.webkit.org/show_bug.cgi?id=49574
+
+ * platform/text/TextCodecUTF16.cpp:
+ (WebCore::TextCodecUTF16::encode): Check for length that is
+ too large for size_t.
+
+ * platform/text/TextStream.cpp:
+ (WebCore::TextStream::operator<<): Check for length that is
+ too large for size_t.
+
2010-11-16 Pavel Feldman <pfeldman at chromium.org>
Not reviewed. Touching inspector controller to make gtk / qt happier.
diff --git a/WebCore/platform/text/TextCodecUTF16.cpp b/WebCore/platform/text/TextCodecUTF16.cpp
index 5c23732..95f4dc4 100644
--- a/WebCore/platform/text/TextCodecUTF16.cpp
+++ b/WebCore/platform/text/TextCodecUTF16.cpp
@@ -31,6 +31,8 @@
#include <wtf/text/StringBuffer.h>
#include <wtf/PassOwnPtr.h>
+using namespace std;
+
namespace WebCore {
void TextCodecUTF16::registerEncodingNames(EncodingNameRegistrar registrar)
@@ -115,23 +117,27 @@ String TextCodecUTF16::decode(const char* bytes, size_t length, bool, bool, bool
CString TextCodecUTF16::encode(const UChar* characters, size_t length, UnencodableHandling)
{
+ if (length > numeric_limits<size_t>::max() / 2)
+ CRASH();
+
char* bytes;
CString string = CString::newUninitialized(length * 2, bytes);
// FIXME: CString is not a reasonable data structure for encoded UTF-16, which will have
- // null characters inside it. Perhaps the result of encode should not be a CString?
- if (m_littleEndian)
+ // null characters inside it. Perhaps the result of encode should not be a CString.
+ if (m_littleEndian) {
for (size_t i = 0; i < length; ++i) {
UChar c = characters[i];
bytes[i * 2] = c;
bytes[i * 2 + 1] = c >> 8;
}
- else
+ } else {
for (size_t i = 0; i < length; ++i) {
UChar c = characters[i];
bytes[i * 2] = c >> 8;
bytes[i * 2 + 1] = c;
}
+ }
return string;
}
diff --git a/WebCore/platform/text/TextStream.cpp b/WebCore/platform/text/TextStream.cpp
index 646de3f..1094fa4 100644
--- a/WebCore/platform/text/TextStream.cpp
+++ b/WebCore/platform/text/TextStream.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2004, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2004, 2008, 2010 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -29,6 +29,8 @@
#include "PlatformString.h"
#include <wtf/StringExtras.h>
+using namespace std;
+
namespace WebCore {
static const size_t printBufferSize = 100; // large enough for any integer or floating point value in string format, including trailing null character
@@ -84,6 +86,8 @@ TextStream& TextStream::operator<<(const char* string)
{
size_t stringLength = strlen(string);
size_t textLength = m_text.size();
+ if (stringLength > numeric_limits<size_t>::max() - textLength)
+ CRASH();
m_text.grow(textLength + stringLength);
for (size_t i = 0; i < stringLength; ++i)
m_text[textLength + i] = string[i];
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list