Changeset 48247 in webkit for trunk/JavaScriptCore/wtf


Ignore:
Timestamp:
Sep 10, 2009, 1:51:29 AM (16 years ago)
Author:
[email protected]
Message:

2009-09-10 Ben Laurie <[email protected]>

Reviewed by Adam Barth.

<https://bugs.webkit.org/show_bug.cgi?id=26836>

If dtoa was given a small buffer and the number was either infinite or
NaN, then the buffer would be overflowed.

  • wtf/dtoa.cpp:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/wtf/dtoa.cpp

    r45700 r48247  
    19051905        *sign = 0;
    19061906
    1907     if ((word0(&u) & Exp_mask) == Exp_mask)
    1908     {
     1907    if ((word0(&u) & Exp_mask) == Exp_mask) {
    19091908        /* Infinity or NaN */
    19101909        *decpt = 9999;
    1911         if (!word1(&u) && !(word0(&u) & 0xfffff))
    1912             strcpy(result, "Infinity");
    1913         else
    1914             strcpy(result, "NaN");
     1910        if (!word1(&u) && !(word0(&u) & 0xfffff)) {
     1911            strncpy(result, "Infinity", ndigits);
     1912            result[ndigits] = '\0';
     1913        } else {
     1914            strncpy(result, "NaN", ndigits);
     1915            result[ndigits] = '\0';
     1916        }
    19151917        return;
    19161918    }
Note: See TracChangeset for help on using the changeset viewer.