Ignore:
Timestamp:
Aug 26, 2010, 12:00:53 PM (15 years ago)
Author:
[email protected]
Message:

2010-08-25 Oliver Hunt <[email protected]>

Reviewed by Geoffrey Garen.

Improve overflow handling in StringImpl::Replace
https://bugs.webkit.org/show_bug.cgi?id=42502
<rdar://problem/8203794>

Harden StringImpl::replace against overflow -- I can't see how this
could be abused, but it's better to be safe than sorry.

  • wtf/text/StringImpl.cpp: (WTF::StringImpl::replace):
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/wtf/text/StringImpl.cpp

    r65571 r66119  
    3232#include <wtf/WTFThreadData.h>
    3333
     34using namespace std;
     35
    3436namespace WTF {
    3537
     
    777779        return this;
    778780    UChar* data;
     781
     782    if ((length() - lengthToReplace) >= (numeric_limits<unsigned>::max() - lengthToInsert))
     783        CRASH();
     784
    779785    PassRefPtr<StringImpl> newImpl =
    780786        createUninitialized(length() - lengthToReplace + lengthToInsert, data);
     
    806812        return this;
    807813   
     814    if (repStrLength && matchCount > numeric_limits<unsigned>::max() / repStrLength)
     815        CRASH();
     816
     817    unsigned replaceSize = matchCount * repStrLength;
     818    unsigned newSize = m_length - matchCount;
     819    if (newSize >= (numeric_limits<unsigned>::max() - replaceSize))
     820        CRASH();
     821
     822    newSize += replaceSize;
     823
    808824    UChar* data;
    809     PassRefPtr<StringImpl> newImpl =
    810         createUninitialized(m_length - matchCount + (matchCount * repStrLength), data);
     825    PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
    811826
    812827    // Construct the new data
     
    856871        return this;
    857872   
     873    unsigned newSize = m_length - matchCount * patternLength;
     874    if (repStrLength && matchCount > numeric_limits<unsigned>::max() / repStrLength)
     875        CRASH();
     876
     877    if (newSize > (numeric_limits<unsigned>::max() - matchCount * repStrLength))
     878        CRASH();
     879
     880    newSize += matchCount * repStrLength;
     881
    858882    UChar* data;
    859     PassRefPtr<StringImpl> newImpl =
    860         createUninitialized(m_length + matchCount * (repStrLength - patternLength), data);
     883    PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
    861884   
    862885    // Construct the new data
Note: See TracChangeset for help on using the changeset viewer.