Changeset 65571 in webkit for trunk/JavaScriptCore/wtf/text/StringImpl.cpp

Timestamp:

Aug 17, 2010, 4:05:50 PM (15 years ago)

Author:

[email protected]

Message:

Bug 44099 - REGRESSION(r65468): Crashes in StringImpl::find

Reviewed by Sam Weinig.

Bug 44080 introuduced a couple of cases in which array bounds could be overrun.
One of these was fixed in r65493, this patch fixes the other and address the
concerns voiced in comment #6 by restructuring the loops to remove the code
dupliction without introducing an additional if check.

• wtf/text/StringImpl.cpp:

(WTF::StringImpl::find):
(WTF::StringImpl::findIgnoringCase):
(WTF::StringImpl::reverseFind):
(WTF::StringImpl::reverseFindIgnoringCase):

File:

• trunk/JavaScriptCore/wtf/text/StringImpl.cpp (modified) (6 diffs)

trunk/JavaScriptCore/wtf/text/StringImpl.cpp

@@ -543 +543 @@
     }
 
-    for (unsigned i = 0; i < delta; ++i) {
-        if (searchHash == matchHash && equal(searchCharacters + i, matchString, matchLength))
-            return index + i;
+    unsigned i = 0;
+    // keep looping until we match
+    while (searchHash != matchHash || !equal(searchCharacters + i, matchString, matchLength)) {
+        if (i == delta)
+            return notFound;
         searchHash += searchCharacters[i + matchLength];
         searchHash -= searchCharacters[i];
-    }
-    if (searchHash == matchHash && equal(searchCharacters + delta, matchString, matchLength))
-        return index + delta;
-    return notFound;
+        ++i;
+    }
+    return index + i;
 }
 
@@ -574 +575 @@
     const UChar* searchCharacters = characters() + index;
 
-    for (unsigned i = 0; i <= delta; ++i) {
-        if (equalIgnoringCase(searchCharacters + i, matchString, matchLength))
-            return index + i;
-    }
-    return notFound;
+    unsigned i = 0;
+    // keep looping until we match
+    while (!equalIgnoringCase(searchCharacters + i, matchString, matchLength)) {
+        if (i == delta)
+            return notFound;
+        ++i;
+    }
+    return index + i;
 }
 
@@ -615 +619 @@
     }
 
-    for (unsigned i = 0; i <= delta; ++i) {
-        if (searchHash == matchHash && memcmp(searchCharacters + i, matchCharacters, matchLength * sizeof(UChar)) == 0)
-            return index + i;
+    unsigned i = 0;
+    // keep looping until we match
+    while (searchHash != matchHash || memcmp(searchCharacters + i, matchCharacters, matchLength * sizeof(UChar))) {
+        if (i == delta)
+            return notFound;
         searchHash += searchCharacters[i + matchLength];
         searchHash -= searchCharacters[i];
-    }
-    return notFound;
+        ++i;
+    }
+    return index + i;
 }
 
@@ -645 +652 @@
     const UChar* matchCharacters = matchString->characters();
 
-    for (unsigned i = 0; i <= delta; ++i) {
-        if (equalIgnoringCase(searchCharacters + i, matchCharacters, matchLength))
-            return index + i;
-    }
-    return notFound;
+    unsigned i = 0;
+    // keep looping until we match
+    while (!equalIgnoringCase(searchCharacters + i, matchCharacters, matchLength)) {
+        if (i == delta)
+            return notFound;
+        ++i;
+    }
+    return index + i;
 }
 
@@ -688 +698 @@
     }
 
+    // keep looping until we match
     while (searchHash != matchHash || memcmp(searchCharacters + delta, matchCharacters, matchLength * sizeof(UChar))) {
-        if (!delta--)
+        if (!delta)
             return notFound;
+        delta--;
         searchHash -= searchCharacters[delta + matchLength];
         searchHash += searchCharacters[delta];
@@ -715 +727 @@
     const UChar *matchCharacters = matchString->characters();
 
+    // keep looping until we match
     while (!equalIgnoringCase(searchCharacters + delta, matchCharacters, matchLength)) {
-        if (!delta--)
+        if (!delta)
             return notFound;
+        delta--;
     }
     return delta;