diff options
| author | Kristian Monsen <kristianm@google.com> | 2010-09-08 12:18:00 +0100 |
|---|---|---|
| committer | Kristian Monsen <kristianm@google.com> | 2010-09-11 12:08:58 +0100 |
| commit | 5ddde30071f639962dd557c453f2ad01f8f0fd00 (patch) | |
| tree | 775803c4ab35af50aa5f5472cd1fb95fe9d5152d /JavaScriptCore/wtf/text/StringImpl.cpp | |
| parent | 3e63d9b33b753ca86d0765d1b3d711114ba9e34f (diff) | |
| download | external_webkit-5ddde30071f639962dd557c453f2ad01f8f0fd00.zip external_webkit-5ddde30071f639962dd557c453f2ad01f8f0fd00.tar.gz external_webkit-5ddde30071f639962dd557c453f2ad01f8f0fd00.tar.bz2 | |
Merge WebKit at r66666 : Initial merge by git.
Change-Id: I57dedeb49859adc9c539e760f0e749768c66626f
Diffstat (limited to 'JavaScriptCore/wtf/text/StringImpl.cpp')
| -rw-r--r-- | JavaScriptCore/wtf/text/StringImpl.cpp | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/JavaScriptCore/wtf/text/StringImpl.cpp b/JavaScriptCore/wtf/text/StringImpl.cpp index ab0f009..a667525 100644 --- a/JavaScriptCore/wtf/text/StringImpl.cpp +++ b/JavaScriptCore/wtf/text/StringImpl.cpp @@ -31,6 +31,8 @@ #include <wtf/StdLibExtras.h> #include <wtf/WTFThreadData.h> +using namespace std; + namespace WTF { using namespace Unicode; @@ -776,6 +778,10 @@ PassRefPtr<StringImpl> StringImpl::replace(unsigned position, unsigned lengthToR if (!lengthToReplace && !lengthToInsert) return this; UChar* data; + + if ((length() - lengthToReplace) >= (numeric_limits<unsigned>::max() - lengthToInsert)) + CRASH(); + PassRefPtr<StringImpl> newImpl = createUninitialized(length() - lengthToReplace + lengthToInsert, data); memcpy(data, characters(), position * sizeof(UChar)); @@ -805,9 +811,18 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar pattern, StringImpl* replacemen if (!matchCount) return this; + if (repStrLength && matchCount > numeric_limits<unsigned>::max() / repStrLength) + CRASH(); + + unsigned replaceSize = matchCount * repStrLength; + unsigned newSize = m_length - matchCount; + if (newSize >= (numeric_limits<unsigned>::max() - replaceSize)) + CRASH(); + + newSize += replaceSize; + UChar* data; - PassRefPtr<StringImpl> newImpl = - createUninitialized(m_length - matchCount + (matchCount * repStrLength), data); + PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data); // Construct the new data size_t srcSegmentEnd; @@ -855,9 +870,17 @@ PassRefPtr<StringImpl> StringImpl::replace(StringImpl* pattern, StringImpl* repl if (!matchCount) return this; + unsigned newSize = m_length - matchCount * patternLength; + if (repStrLength && matchCount > numeric_limits<unsigned>::max() / repStrLength) + CRASH(); + + if (newSize > (numeric_limits<unsigned>::max() - matchCount * repStrLength)) + CRASH(); + + newSize += matchCount * repStrLength; + UChar* data; - PassRefPtr<StringImpl> newImpl = - createUninitialized(m_length + matchCount * (repStrLength - patternLength), data); + PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data); // Construct the new data size_t srcSegmentEnd; |