[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

weinig at apple.com weinig at apple.com
Wed Dec 22 13:58:28 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 576e193f15c39575850d2bcefbae966bfc2ba314
Author: weinig at apple.com <weinig at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Sep 30 18:50:54 2010 +0000

    Add additional checks to StringBuffer.
    <rdar://problem/7756381>
    
    Reviewed by Darin Adler.
    
    * wtf/text/StringBuffer.h:
    (WTF::StringBuffer::StringBuffer):
    (WTF::StringBuffer::resize):
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@68812 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 6f48a80..7d8d033 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,14 @@
+2010-09-29  Sam Weinig  <sam at webkit.org>
+
+        Reviewed by Darin Adler.
+
+        Add additional checks to StringBuffer.
+        <rdar://problem/7756381>
+
+        * wtf/text/StringBuffer.h:
+        (WTF::StringBuffer::StringBuffer):
+        (WTF::StringBuffer::resize):
+
 2010-09-30  Chris Marrin  <cmarrin at apple.com>
 
         Reviewed by Simon Fraser.
diff --git a/JavaScriptCore/wtf/text/StringBuffer.h b/JavaScriptCore/wtf/text/StringBuffer.h
index c29dd79..a546bf3 100644
--- a/JavaScriptCore/wtf/text/StringBuffer.h
+++ b/JavaScriptCore/wtf/text/StringBuffer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2010 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -32,6 +32,7 @@
 #include <wtf/Assertions.h>
 #include <wtf/Noncopyable.h>
 #include <wtf/unicode/Unicode.h>
+#include <limits>
 
 namespace WTF {
 
@@ -39,9 +40,12 @@ class StringBuffer : public Noncopyable {
 public:
     explicit StringBuffer(unsigned length)
         : m_length(length)
-        , m_data(static_cast<UChar*>(fastMalloc(length * sizeof(UChar))))
     {
+        if (m_length > std::numeric_limits<unsigned>::max() / sizeof(UChar))
+            CRASH();
+        m_data = static_cast<UChar*>(fastMalloc(m_length * sizeof(UChar)));
     }
+
     ~StringBuffer()
     {
         fastFree(m_data);
@@ -55,8 +59,11 @@ public:
 
     void resize(unsigned newLength)
     {
-        if (newLength > m_length)
+        if (newLength > m_length) {
+            if (newLength > std::numeric_limits<unsigned>::max() / sizeof(UChar))
+                CRASH();
             m_data = static_cast<UChar*>(fastRealloc(m_data, newLength * sizeof(UChar)));
+        }
         m_length = newLength;
     }
 
@@ -72,8 +79,8 @@ private:
     UChar* m_data;
 };
 
-}
+} // namespace WTF
 
 using WTF::StringBuffer;
 
-#endif
+#endif // StringBuffer_h

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list