Changeset 55035 in webkit for trunk/JavaScriptCore/runtime/JSString.cpp

Timestamp:

Feb 19, 2010, 3:36:09 PM (15 years ago)

Author:

[email protected]

Message:

JSString::getIndex() calls value() to resolve the string value (is a rope)
to a UString, then passes the result to jsSingleCharacterSubstring without
checking for an exception. In case of out-of-memory the returned UString
is null(), which may result in an out-of-buounds substring being created.
This is bad.

Reviewed by Oliver Hunt.

Simple fix is to be able to get an index from a rope without resolving to
UString. This may be a useful optimization in some test cases.

The same bug exists in some other methods is JSString, these can be fixed
by changing them to call getIndex().

• runtime/JSString.cpp:

(JSC::JSString::resolveRope):
(JSC::JSString::getStringPropertyDescriptor):

• runtime/JSString.h:

(JSC::jsSingleCharacterSubstring):
(JSC::JSString::getIndex):
(JSC::jsSingleCharacterString):
(JSC::JSString::getStringPropertySlot):

• runtime/UStringImpl.cpp:

(JSC::singleCharacterSubstring):

• runtime/UStringImpl.h:

(JSC::UStringImpl::singleCharacterSubstring):

File:

• trunk/JavaScriptCore/runtime/JSString.cpp (modified) (2 diffs)

trunk/JavaScriptCore/runtime/JSString.cpp

@@ -51 +51 @@
         m_value = newImpl;
     else {
-        for (unsigned i = 0; i < m_fiberCount; ++i) {
-            m_other.m_fibers[i]->deref();
-            m_other.m_fibers[i] = 0;
-        }
-        m_fiberCount = 0;
-        ASSERT(!isRope());
-        ASSERT(m_value == UString());
         throwOutOfMemoryError(exec);
         return;
@@ -188 +181 @@
     unsigned i = propertyName.toStrictUInt32(&isStrictUInt32);
     if (isStrictUInt32 && i < m_length) {
-        descriptor.setDescriptor(jsSingleCharacterSubstring(exec, value(exec), i), DontDelete | ReadOnly);
+        descriptor.setDescriptor(getIndex(exec, i), DontDelete | ReadOnly);
         return true;
     }