Fix potential length-miscalculation in %StringBuilderConcat.

src/runtime.cc

 // Copyright 2006-2009 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 1506 matching lines @@
       StringBuilderConcatHelper(*subject_,
                                 char_buffer,
                                 *parts_,
                                 part_count_);
     }
     return joined_string;
   }
 
 
   void IncrementCharacterCount(int by) {
-    if (character_count_ > Smi::kMaxValue - by) {
+    if (character_count_ > String::kMaxLength - by) {
       V8::FatalProcessOutOfMemory("String.replace result too large.");
     }
     character_count_ += by;
   }
 
  private:
 
   Handle<String> NewRawAsciiString(int size) {
     CALL_HEAP_FUNCTION(Heap::AllocateRawAsciiString(size), String);
   }
@@ skipping 1839 matching lines @@
     while (buffer->has_more()) {
       uint16_t character = buffer->GetNext();
       if (character >= 256) {
         escaped_length += 6;
       } else if (IsNotEscaped(character)) {
         escaped_length++;
       } else {
         escaped_length += 3;
       }
       // We don't allow strings that are longer than a maximal length.
+      ASSERT(String::kMaxLength < 0x7fffffff - 6);  // Cannot overflow.
       if (escaped_length > String::kMaxLength) {
         Top::context()->mark_out_of_memory();
         return Failure::OutOfMemoryException();
       }
     }
   }
   // No length change implies no change.  Return original string if no change.
   if (escaped_length == length) {
     return source;
   }
@@ skipping 513 matching lines @@
         // Position and length encoded in two smis.
         Object* obj = fixed_array->get(++i);
         ASSERT(obj->IsSmi());
         pos = Smi::cast(obj)->value();
         len = -encoded_slice;
       }
       String::WriteToFlat(special,
                           sink + position,
                           pos,
                           pos + len);
+      ASSERT(special->length() - position >= len);
       position += len;
     } else {
       String* string = String::cast(element);
       int element_length = string->length();
       String::WriteToFlat(string, sink + position, 0, element_length);
+      ASSERT(special->length() - position >= element_length);
       position += element_length;
     }
   }
 }
 
 
 static Object* Runtime_StringBuilderConcat(Arguments args) {
   NoHandleAllocation ha;
   ASSERT(args.length() == 3);
   CONVERT_CHECKED(JSArray, array, args[0]);
@@ skipping 18 matching lines @@
 
   if (array_length == 0) {
     return Heap::empty_string();
   } else if (array_length == 1) {
     Object* first = fixed_array->get(0);
     if (first->IsString()) return first;
   }
 
   bool ascii = special->IsAsciiRepresentation();
   int position = 0;
+  int increment = 0;
   for (int i = 0; i < array_length; i++) {
     Object* elt = fixed_array->get(i);
     if (elt->IsSmi()) {
       // Smi encoding of position and length.
       int len = Smi::cast(elt)->value();
       if (len > 0) {
         // Position and length encoded in one smi.
         int pos = len >> 11;
         len &= 0x7ff;
         if (pos + len > special_length) {
           return Top::Throw(Heap::illegal_argument_symbol());
         }
-        position += len;
+        increment = len;
       } else {
         // Position and length encoded in two smis.
-        position += (-len);
+        increment = (-len);
         // Get the position and check that it is also a smi.
         i++;
         if (i >= array_length) {
           return Top::Throw(Heap::illegal_argument_symbol());
         }
         Object* pos = fixed_array->get(i);
         if (!pos->IsSmi()) {
           return Top::Throw(Heap::illegal_argument_symbol());
         }
       }
     } else if (elt->IsString()) {
       String* element = String::cast(elt);
       int element_length = element->length();
-      position += element_length;
+      increment = element_length;
       if (ascii && !element->IsAsciiRepresentation()) {
         ascii = false;
       }
     } else {
       return Top::Throw(Heap::illegal_argument_symbol());
     }
-    if (position > String::kMaxLength) {
+    if (increment > String::kMaxLength - position) {
       Top::context()->mark_out_of_memory();
       return Failure::OutOfMemoryException();
     }
+    position += increment;
   }
 
   int length = position;
   Object* object;
 
   if (ascii) {
     object = Heap::AllocateRawAsciiString(length);
     if (object->IsFailure()) return object;
     SeqAsciiString* answer = SeqAsciiString::cast(object);
     StringBuilderConcatHelper(special,
@@ skipping 4064 matching lines @@
   } else {
     // Handle last resort GC and make sure to allow future allocations
     // to grow the heap without causing GCs (if possible).
     Counters::gc_last_resort_from_js.Increment();
     Heap::CollectAllGarbage(false);
   }
 }
 
 
 } }  // namespace v8::internal