diff options
| author | Cary Clark <cary@android.com> | 2010-11-30 05:08:37 -0800 |
|---|---|---|
| committer | Android (Google) Code Review <android-gerrit@google.com> | 2010-11-30 05:08:37 -0800 |
| commit | 5793dcc19c1dd5f2f3daacd05646ae237f050e58 (patch) | |
| tree | 243aec6c285768034dc968aefd975e7c19b68765 /WebCore | |
| parent | 1baa4609252ea42065c4399b9081b2087c8d70a2 (diff) | |
| parent | 08c4bdf9c274523d8ccd48bb52b57e4807acd043 (diff) | |
| download | external_webkit-5793dcc19c1dd5f2f3daacd05646ae237f050e58.zip external_webkit-5793dcc19c1dd5f2f3daacd05646ae237f050e58.tar.gz external_webkit-5793dcc19c1dd5f2f3daacd05646ae237f050e58.tar.bz2 | |
Merge "Do not merge: fix dns prefetch, multiply range" into gingerbread
Diffstat (limited to 'WebCore')
| -rw-r--r-- | WebCore/html/HTMLLinkElement.cpp | 2 | ||||
| -rw-r--r-- | WebCore/platform/text/StringImpl.cpp | 33 |
2 files changed, 29 insertions, 6 deletions
diff --git a/WebCore/html/HTMLLinkElement.cpp b/WebCore/html/HTMLLinkElement.cpp index 5376611..dc01486 100644 --- a/WebCore/html/HTMLLinkElement.cpp +++ b/WebCore/html/HTMLLinkElement.cpp @@ -212,7 +212,7 @@ void HTMLLinkElement::process() m_isPrecomposedTouchIcon); #endif - if (m_isDNSPrefetch && m_url.isValid() && !m_url.isEmpty()) + if (m_isDNSPrefetch && document()->isDNSPrefetchEnabled() && m_url.isValid() && !m_url.isEmpty()) prefetchDNS(m_url.host()); bool acceptIfTypeContainsTextCSS = document()->page() && document()->page()->settings() && document()->page()->settings()->treatsAnyTextCSSLinkAsStylesheet(); diff --git a/WebCore/platform/text/StringImpl.cpp b/WebCore/platform/text/StringImpl.cpp index db6152d..7e6aee3 100644 --- a/WebCore/platform/text/StringImpl.cpp +++ b/WebCore/platform/text/StringImpl.cpp @@ -42,6 +42,7 @@ using namespace WTF; using namespace Unicode; +using namespace std; namespace WebCore { @@ -686,6 +687,10 @@ PassRefPtr<StringImpl> StringImpl::replace(unsigned position, unsigned lengthToR if (!lengthToReplace && !lengthToInsert) return this; UChar* data; + + if ((length() - lengthToReplace) >= (numeric_limits<unsigned>::max() - lengthToInsert)) + CRASH(); + PassRefPtr<StringImpl> newImpl = createUninitialized(length() - lengthToReplace + lengthToInsert, data); memcpy(data, characters(), position * sizeof(UChar)); @@ -714,10 +719,19 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar pattern, StringImpl* replacemen // If we have 0 matches, we don't have to do any more work if (!matchCount) return this; - + + if (repStrLength && matchCount > numeric_limits<unsigned>::max() / repStrLength) + CRASH(); + + unsigned replaceSize = matchCount * repStrLength; + unsigned newSize = m_length - matchCount; + if (newSize >= (numeric_limits<unsigned>::max() - replaceSize)) + CRASH(); + + newSize += replaceSize; + UChar* data; - PassRefPtr<StringImpl> newImpl = - createUninitialized(m_length - matchCount + (matchCount * repStrLength), data); + PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data); // Construct the new data int srcSegmentEnd; @@ -766,8 +780,17 @@ PassRefPtr<StringImpl> StringImpl::replace(StringImpl* pattern, StringImpl* repl return this; UChar* data; - PassRefPtr<StringImpl> newImpl = - createUninitialized(m_length + matchCount * (repStrLength - patternLength), data); + + unsigned newSize = m_length - matchCount * patternLength; + if (repStrLength && matchCount > numeric_limits<unsigned>::max() / repStrLength) + CRASH(); + + if (newSize > (numeric_limits<unsigned>::max() - matchCount * repStrLength)) + CRASH(); + + newSize += matchCount * repStrLength; + + PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data); // Construct the new data int srcSegmentEnd; |