Changeset 55035 in webkit for trunk/JavaScriptCore/runtime/UStringImpl.h

Timestamp:

Feb 19, 2010, 3:36:09 PM (15 years ago)

Author:

[email protected]

Message:

JSString::getIndex() calls value() to resolve the string value (is a rope)
to a UString, then passes the result to jsSingleCharacterSubstring without
checking for an exception. In case of out-of-memory the returned UString
is null(), which may result in an out-of-buounds substring being created.
This is bad.

Reviewed by Oliver Hunt.

Simple fix is to be able to get an index from a rope without resolving to
UString. This may be a useful optimization in some test cases.

The same bug exists in some other methods is JSString, these can be fixed
by changing them to call getIndex().

• runtime/JSString.cpp:

(JSC::JSString::resolveRope):
(JSC::JSString::getStringPropertyDescriptor):

• runtime/JSString.h:

(JSC::jsSingleCharacterSubstring):
(JSC::JSString::getIndex):
(JSC::jsSingleCharacterString):
(JSC::JSString::getStringPropertySlot):

• runtime/UStringImpl.cpp:

(JSC::singleCharacterSubstring):

• runtime/UStringImpl.h:

(JSC::UStringImpl::singleCharacterSubstring):

File:

• trunk/JavaScriptCore/runtime/UStringImpl.h (modified) (3 diffs)

trunk/JavaScriptCore/runtime/UStringImpl.h

@@ -213 +213 @@
     }
 
+    PassRefPtr<UStringImpl> singleCharacterSubstring(unsigned index) { ASSERT(index < length()); return create(this, index, 1); }
+
 private:
     // For SmallStringStorage, which allocates an array and uses an in-place new.
@@ -343 +345 @@
 
     friend class UStringOrRopeImpl;
+    friend PassRefPtr<UStringImpl> singleCharacterSubstring(UStringOrRopeImpl* ropeoid, unsigned index);
 };
 
@@ -355 +358 @@
 bool equal(const UStringImpl*, const UStringImpl*);
 
+PassRefPtr<UStringImpl> singleCharacterSubstring(UStringOrRopeImpl* ropeoid, unsigned index);
+
 }