src/runtime.cc - Issue 521074: Fix potential length-miscalculation in %StringBuilderConcat.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/runtime.cc

Issue 521074: Fix potential length-miscalculation in %StringBuilderConcat. (Closed)

Patch Set: Created 10 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/runtime.cc

diff --git a/src/runtime.cc b/src/runtime.cc

index c72322ae2944a05057e225d53ee7cdc46d2bff8e..8b604aaf8c175dcebd88796d1d767e2ad6ee1eaa 100644

--- a/src/runtime.cc

+++ b/src/runtime.cc

@@ -1524,7 +1524,7 @@ class ReplacementStringBuilder {

void IncrementCharacterCount(int by) {

- if (character_count_ > Smi::kMaxValue - by) {

+ if (character_count_ > String::kMaxLength - by) {

V8::FatalProcessOutOfMemory("String.replace result too large.");

}

character_count_ += by;

@@ -3384,6 +3384,7 @@ static Object* Runtime_URIEscape(Arguments args) {

escaped_length += 3;

}

// We don't allow strings that are longer than a maximal length.

+ ASSERT(String::kMaxLength < 0x7fffffff - 6); // Cannot overflow.

if (escaped_length > String::kMaxLength) {

Top::context()->mark_out_of_memory();

return Failure::OutOfMemoryException();

@@ -3917,11 +3918,13 @@ static inline void StringBuilderConcatHelper(String* special,

sink + position,

pos,

pos + len);

+ ASSERT(special->length() - position >= len);

position += len;

} else {

String* string = String::cast(element);

int element_length = string->length();

String::WriteToFlat(string, sink + position, 0, element_length);

+ ASSERT(special->length() - position >= element_length);

position += element_length;

}

@@ -3960,6 +3963,7 @@ static Object* Runtime_StringBuilderConcat(Arguments args) {

bool ascii = special->IsAsciiRepresentation();

int position = 0;

+ int increment = 0;

for (int i = 0; i < array_length; i++) {

Object* elt = fixed_array->get(i);

if (elt->IsSmi()) {

@@ -3972,10 +3976,10 @@ static Object* Runtime_StringBuilderConcat(Arguments args) {

if (pos + len > special_length) {

return Top::Throw(Heap::illegal_argument_symbol());

}

- position += len;

+ increment = len;

} else {

// Position and length encoded in two smis.

- position += (-len);

+ increment = (-len);

// Get the position and check that it is also a smi.

i++;

if (i >= array_length) {

@@ -3989,17 +3993,18 @@ static Object* Runtime_StringBuilderConcat(Arguments args) {

} else if (elt->IsString()) {

String* element = String::cast(elt);

int element_length = element->length();

- position += element_length;

+ increment = element_length;

if (ascii && !element->IsAsciiRepresentation()) {

ascii = false;

}

} else {

return Top::Throw(Heap::illegal_argument_symbol());

}

- if (position > String::kMaxLength) {

+ if (increment > String::kMaxLength - position) {

Top::context()->mark_out_of_memory();

return Failure::OutOfMemoryException();

}

+ position += increment;

}

int length = position;

« no previous file with comments | « no previous file | no next file » | no next file with comments »