diff options
author | Steve Block <steveblock@google.com> | 2011-11-16 15:56:13 +0000 |
---|---|---|
committer | Steve Block <steveblock@google.com> | 2011-11-21 18:37:20 +0000 |
commit | 96309385b22eca3b1ff3eb9d30bea0958ce47875 (patch) | |
tree | 9a5d5e3a64a3a6af5c146ddb9fdc8d876d9ccd2d | |
parent | f63b0fca2c4bfc215ae70840295b3910c8d61aa1 (diff) | |
download | external_webkit-96309385b22eca3b1ff3eb9d30bea0958ce47875.zip external_webkit-96309385b22eca3b1ff3eb9d30bea0958ce47875.tar.gz external_webkit-96309385b22eca3b1ff3eb9d30bea0958ce47875.tar.bz2 |
Fix JavaBridge to handle overflow of array length
When converting to a Java array type, if the length property of a Java Object
is outside the bounds for a Java array, convert to null.
Also convert to null if the length property is not a number.
Bug: 5626284
Change-Id: Ic4029d58cebe2cab9a37d52af09456c3cab6e5cd
-rw-r--r-- | Source/WebCore/bridge/jni/v8/JNIUtilityPrivate.cpp | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/Source/WebCore/bridge/jni/v8/JNIUtilityPrivate.cpp b/Source/WebCore/bridge/jni/v8/JNIUtilityPrivate.cpp index 2425613..15b4bda 100644 --- a/Source/WebCore/bridge/jni/v8/JNIUtilityPrivate.cpp +++ b/Source/WebCore/bridge/jni/v8/JNIUtilityPrivate.cpp @@ -72,11 +72,16 @@ JavaValue convertNPVariantToJavaValue(NPVariant value, const String& javaClass) break; } - jsize length = 0; - if (NPVARIANT_IS_INT32(npvLength)) - length = static_cast<jsize>(NPVARIANT_TO_INT32(npvLength)); - else if (NPVARIANT_IS_DOUBLE(npvLength)) - length = static_cast<jsize>(NPVARIANT_TO_DOUBLE(npvLength)); + // Convert to null if the length property is not a number. + if (!NPVARIANT_IS_INT32(npvLength) && !NPVARIANT_IS_DOUBLE(npvLength)) + break; + + // Convert to null if the length property is out of bounds. + double doubleLength = NPVARIANT_IS_INT32(npvLength) ? NPVARIANT_TO_INT32(npvLength) : NPVARIANT_TO_DOUBLE(npvLength); + if (doubleLength < 0.0 || doubleLength > INT32_MAX) + break; + + jsize length = static_cast<jsize>(doubleLength); if (!strcmp(javaClassName.data(), "[Ljava.lang.String;")) { // Match JSC behavior by only allowing Object arrays if they are Strings. |