Changeset 54925 in webkit for trunk/JavaScriptCore/runtime

Timestamp:

Feb 17, 2010, 9:07:41 PM (15 years ago)

Author:

[email protected]

Message:

​https://bugs.webkit.org/show_bug.cgi?id=35070
Addition of 2 strings of length 2^{31 may result in a string of length 0.}

Reviewed by Oliver Hunt.

Check for overflow when creating a new JSString as a result of an addition
or concatenation, throw an out of memory exception.

• runtime/JSString.h:

(JSC::):

• runtime/Operations.h:

(JSC::jsString):

Location:

trunk/JavaScriptCore/runtime

Files:

• JSString.h (modified) (1 diff)
• Operations.h (modified) (7 diffs)

trunk/JavaScriptCore/runtime/JSString.h

@@ -105 +105 @@
             }
 
+            unsigned length() { return m_rope->length(); }
+
         private:
             unsigned m_index;

trunk/JavaScriptCore/runtime/Operations.h

@@ -38 +38 @@
     ALWAYS_INLINE JSValue jsString(ExecState* exec, JSString* s1, JSString* s2)
     {
-        if (!s1->length())
+        unsigned length1 = s1->length();
+        if (!length1)
             return s2;
-        if (!s2->length())
+        unsigned length2 = s2->length();
+        if (!length2)
             return s1;
+        if ((length1 + length2) < length1)
+            return throwOutOfMemoryError(exec);
 
         unsigned fiberCount = s1->fiberCount() + s2->fiberCount();
@@ -59 +63 @@
     ALWAYS_INLINE JSValue jsString(ExecState* exec, const UString& u1, JSString* s2)
     {
+        unsigned length1 = u1.size();
+        if (!length1)
+            return s2;
+        unsigned length2 = s2->length();
+        if (!length2)
+            return jsString(exec, u1);
+        if ((length1 + length2) < length1)
+            return throwOutOfMemoryError(exec);
+
         unsigned fiberCount = 1 + s2->fiberCount();
         JSGlobalData* globalData = &exec->globalData();
@@ -75 +88 @@
     ALWAYS_INLINE JSValue jsString(ExecState* exec, JSString* s1, const UString& u2)
     {
+        unsigned length1 = s1->length();
+        if (!length1)
+            return jsString(exec, u2);
+        unsigned length2 = u2.size();
+        if (!length2)
+            return s1;
+        if ((length1 + length2) < length1)
+            return throwOutOfMemoryError(exec);
+
         unsigned fiberCount = s1->fiberCount() + 1;
         JSGlobalData* globalData = &exec->globalData();
@@ -110 +132 @@
             return throwOutOfMemoryError(exec);
 
+        unsigned length = 0;
+        bool overflow = false;
+
         for (unsigned i = 0; i < count; ++i) {
             JSValue v = strings[i].jsValue();
@@ -116 +141 @@
             else
                 ropeBuilder.append(v.toString(exec));
-        }
+
+            unsigned newLength = ropeBuilder.length();
+            if (newLength < length)
+                overflow = true;
+            length = newLength;
+        }
+
+        if (overflow)
+            return throwOutOfMemoryError(exec);
 
         return new (globalData) JSString(globalData, ropeBuilder.release());
@@ -144 +177 @@
         else
             ropeBuilder.append(thisValue.toString(exec));
+
+        unsigned length = 0;
+        bool overflow = false;
+
         for (unsigned i = 0; i < args.size(); ++i) {
             JSValue v = args.at(i);
@@ -150 +187 @@
             else
                 ropeBuilder.append(v.toString(exec));
-        }
+
+            unsigned newLength = ropeBuilder.length();
+            if (newLength < length)
+                overflow = true;
+            length = newLength;
+        }
+
+        if (overflow)
+            return throwOutOfMemoryError(exec);
 
         JSGlobalData* globalData = &exec->globalData();