summaryrefslogtreecommitdiffstats
path: root/JavaScriptCore/wtf/text/StringImpl.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'JavaScriptCore/wtf/text/StringImpl.cpp')
-rw-r--r--JavaScriptCore/wtf/text/StringImpl.cpp31
1 files changed, 27 insertions, 4 deletions
diff --git a/JavaScriptCore/wtf/text/StringImpl.cpp b/JavaScriptCore/wtf/text/StringImpl.cpp
index ab0f009..a667525 100644
--- a/JavaScriptCore/wtf/text/StringImpl.cpp
+++ b/JavaScriptCore/wtf/text/StringImpl.cpp
@@ -31,6 +31,8 @@
#include <wtf/StdLibExtras.h>
#include <wtf/WTFThreadData.h>
+using namespace std;
+
namespace WTF {
using namespace Unicode;
@@ -776,6 +778,10 @@ PassRefPtr<StringImpl> StringImpl::replace(unsigned position, unsigned lengthToR
if (!lengthToReplace && !lengthToInsert)
return this;
UChar* data;
+
+ if ((length() - lengthToReplace) >= (numeric_limits<unsigned>::max() - lengthToInsert))
+ CRASH();
+
PassRefPtr<StringImpl> newImpl =
createUninitialized(length() - lengthToReplace + lengthToInsert, data);
memcpy(data, characters(), position * sizeof(UChar));
@@ -805,9 +811,18 @@ PassRefPtr<StringImpl> StringImpl::replace(UChar pattern, StringImpl* replacemen
if (!matchCount)
return this;
+ if (repStrLength && matchCount > numeric_limits<unsigned>::max() / repStrLength)
+ CRASH();
+
+ unsigned replaceSize = matchCount * repStrLength;
+ unsigned newSize = m_length - matchCount;
+ if (newSize >= (numeric_limits<unsigned>::max() - replaceSize))
+ CRASH();
+
+ newSize += replaceSize;
+
UChar* data;
- PassRefPtr<StringImpl> newImpl =
- createUninitialized(m_length - matchCount + (matchCount * repStrLength), data);
+ PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
// Construct the new data
size_t srcSegmentEnd;
@@ -855,9 +870,17 @@ PassRefPtr<StringImpl> StringImpl::replace(StringImpl* pattern, StringImpl* repl
if (!matchCount)
return this;
+ unsigned newSize = m_length - matchCount * patternLength;
+ if (repStrLength && matchCount > numeric_limits<unsigned>::max() / repStrLength)
+ CRASH();
+
+ if (newSize > (numeric_limits<unsigned>::max() - matchCount * repStrLength))
+ CRASH();
+
+ newSize += matchCount * repStrLength;
+
UChar* data;
- PassRefPtr<StringImpl> newImpl =
- createUninitialized(m_length + matchCount * (repStrLength - patternLength), data);
+ PassRefPtr<StringImpl> newImpl = createUninitialized(newSize, data);
// Construct the new data
size_t srcSegmentEnd;
generated by cgit v1.1 at 2025-06-01 01:29:38 +0000