Changeset 55035 in webkit for trunk/JavaScriptCore/runtime/UStringImpl.cpp

Timestamp:

Feb 19, 2010, 3:36:09 PM (15 years ago)

Author:

[email protected]

Message:

JSString::getIndex() calls value() to resolve the string value (is a rope)
to a UString, then passes the result to jsSingleCharacterSubstring without
checking for an exception. In case of out-of-memory the returned UString
is null(), which may result in an out-of-buounds substring being created.
This is bad.

Reviewed by Oliver Hunt.

Simple fix is to be able to get an index from a rope without resolving to
UString. This may be a useful optimization in some test cases.

The same bug exists in some other methods is JSString, these can be fixed
by changing them to call getIndex().

• runtime/JSString.cpp:

(JSC::JSString::resolveRope):
(JSC::JSString::getStringPropertyDescriptor):

• runtime/JSString.h:

(JSC::jsSingleCharacterSubstring):
(JSC::JSString::getIndex):
(JSC::jsSingleCharacterString):
(JSC::JSString::getStringPropertySlot):

• runtime/UStringImpl.cpp:

(JSC::singleCharacterSubstring):

• runtime/UStringImpl.h:

(JSC::UStringImpl::singleCharacterSubstring):

File:

• trunk/JavaScriptCore/runtime/UStringImpl.cpp (modified) (1 diff)

trunk/JavaScriptCore/runtime/UStringImpl.cpp

@@ -150 +150 @@
 }
 
+PassRefPtr<UStringImpl> singleCharacterSubstring(UStringOrRopeImpl* impl, unsigned index)
+{
+top:
+    if (impl->isRope()) {
+        URopeImpl* rope = static_cast<URopeImpl*>(impl);
+        for (unsigned i = 0; i < rope->m_fiberCount; ++i) {
+            UStringOrRopeImpl* currentFiber = rope->fibers(i);
+            unsigned fiberLength = currentFiber->length();
+            if (index < fiberLength) {
+                impl = currentFiber;
+                goto top;
+            }
+            index -= fiberLength;
+        }
+        CRASH();
+    }
+
+    return static_cast<UStringImpl*>(impl)->singleCharacterSubstring(index);
+}
+
 } // namespace JSC