Fix potential bug in FastSharedBufferReader::getConsecutiveData

Source/platform/SharedBuffer.cpp

 /*
  * Copyright (C) 2006, 2008 Apple Inc. All rights reserved.
  * Copyright (C) Research In Motion Limited 2009-2010. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
@@ skipping 22 matching lines @@
 #undef SHARED_BUFFER_STATS
 
 #ifdef SHARED_BUFFER_STATS
 #include "public/platform/Platform.h"
 #include "public/platform/WebTraceLocation.h"
 #include "wtf/DataLog.h"
 #endif
 
 namespace blink {
 
-static const unsigned segmentSize = 0x1000;
-static const unsigned segmentPositionMask = 0x0FFF;
-
 static inline unsigned segmentIndex(unsigned position)
 {
-    return position / segmentSize;
+    return position / SharedBuffer::kSegmentSize;
 }
 
 static inline unsigned offsetInSegment(unsigned position)
 {
+    const unsigned segmentPositionMask = SharedBuffer::kSegmentSize - 1;
     return position & segmentPositionMask;

[Peter Kasting, 2015/03/25 19:53:11]

This will be safer if you do:

  return position % SharedBuffer::kSegmentSize;

That way if the segment size is changed to a non-power-of-2, the code won't
mysteriously break.

 }
 
 static inline char* allocateSegment()
 {
-    return static_cast<char*>(fastMalloc(segmentSize));
+    return static_cast<char*>(fastMalloc(SharedBuffer::kSegmentSize));
 }
 
 static inline void freeSegment(char* p)
 {
     fastFree(p);
 }
 
 #ifdef SHARED_BUFFER_STATS
 
 static Mutex& statsMutex()
@@ skipping 171 matching lines @@
 void SharedBuffer::append(const char* data, unsigned length)
 {
     ASSERT(isLocked());
     if (!length)
         return;
 
     ASSERT(m_size >= m_buffer.size());
     unsigned positionInSegment = offsetInSegment(m_size - m_buffer.size());
     m_size += length;
 
-    if (m_size <= segmentSize) {
+    if (m_size <= kSegmentSize) {
         // No need to use segments for small resource data.
         m_buffer.append(data, length);
         return;
     }
 
     char* segment;
     if (!positionInSegment) {
         segment = allocateSegment();
         m_segments.append(segment);
     } else
         segment = m_segments.last() + positionInSegment;
 
-    unsigned segmentFreeSpace = segmentSize - positionInSegment;
+    unsigned segmentFreeSpace = kSegmentSize - positionInSegment;
     unsigned bytesToCopy = std::min(length, segmentFreeSpace);
 
     for (;;) {
         memcpy(segment, data, bytesToCopy);
         if (static_cast<unsigned>(length) == bytesToCopy)
             break;
 
         length -= bytesToCopy;
         data += bytesToCopy;
         segment = allocateSegment();
         m_segments.append(segment);
-        bytesToCopy = std::min(length, segmentSize);
+        bytesToCopy = std::min(length, kSegmentSize);
     }
 }
 
 void SharedBuffer::append(const Vector<char>& data)
 {
     append(data.data(), data.size());
 }
 
 void SharedBuffer::clear()
 {
@@ skipping 22 matching lines @@
     }
     return clone.release();
 }
 
 void SharedBuffer::mergeSegmentsIntoBuffer() const
 {
     unsigned bufferSize = m_buffer.size();
     if (m_size > bufferSize) {
         unsigned bytesLeft = m_size - bufferSize;
         for (unsigned i = 0; i < m_segments.size(); ++i) {
-            unsigned bytesToCopy = std::min(bytesLeft, segmentSize);
+            unsigned bytesToCopy = std::min(bytesLeft, kSegmentSize);
             m_buffer.append(m_segments[i], bytesToCopy);
             bytesLeft -= bytesToCopy;
             freeSegment(m_segments[i]);
         }
         m_segments.clear();
     }
 }
 
 unsigned SharedBuffer::getSomeData(const char*& someData, unsigned position) const
 {
     ASSERT(isLocked());
     unsigned totalSize = size();
     if (position >= totalSize) {
         someData = 0;
         return 0;
     }
 
     ASSERT_WITH_SECURITY_IMPLICATION(position < m_size);
     unsigned consecutiveSize = m_buffer.size();
     if (position < consecutiveSize) {
         someData = m_buffer.data() + position;
         return consecutiveSize - position;
     }
 
     position -= consecutiveSize;
     unsigned segments = m_segments.size();
-    unsigned maxSegmentedSize = segments * segmentSize;
+    unsigned maxSegmentedSize = segments * kSegmentSize;
     unsigned segment = segmentIndex(position);
     if (segment < segments) {
         unsigned bytesLeft = totalSize - consecutiveSize;
         unsigned segmentedSize = std::min(maxSegmentedSize, bytesLeft);
 
         unsigned positionInSegment = offsetInSegment(position);
         someData = m_segments[segment] + positionInSegment;
-        return segment == segments - 1 ? segmentedSize - position : segmentSize - positionInSegment;
+        return segment == segments - 1 ? segmentedSize - position : kSegmentSize - positionInSegment;
     }
     ASSERT_NOT_REACHED();
     return 0;
 }
 
 bool SharedBuffer::getAsBytes(void* dest, unsigned byteLength) const
 {
     if (!dest || byteLength != size())
         return false;
 
@@ skipping 43 matching lines @@
     mergeSegmentsIntoBuffer();
     m_buffer.unlock();
 }
 
 bool SharedBuffer::isLocked() const
 {
     return m_buffer.isLocked();
 }
 
 } // namespace blink