Added checks for integer overflow conditions to deleteData and replaceData.

Source/core/dom/CharacterData.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
  * License as published by the Free Software Foundation; either
  * version 2 of the License, or (at your option) any later version.
  *
@@ skipping 90 matching lines @@
     String newStr = m_data;
     newStr.insert(data, offset);
 
     setDataAndUpdate(newStr, offset, 0, data.length(), recalcStyleBehavior);
 
     document().didInsertText(this, offset, data.length());
 }
 
 void CharacterData::deleteData(unsigned offset, unsigned count, ExceptionState& exceptionState, RecalcStyleBehavior recalcStyleBehavior)
 {
-    if (offset > length()) {
+    const unsigned dataLength = length();
+
+    if (offset > dataLength) {
         exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length()) + ").");
         return;
     }
 
+    if (count > (dataLength - offset)) {

[sof, 2014/03/19 11:40:18]

If not already, you may want to consider handling overflow checking using
Checked<unsigned, OverflowHandler> instead.

+        exceptionState.throwDOMException(IndexSizeError, "Cannot delete " + String::number(count) + " characters, this is greater than the node's length with the given offset.");
+        return;
+    }
+
     unsigned realCount;
-    if (offset + count > length())
-        realCount = length() - offset;
+    if (offset + count > dataLength)
+        realCount = dataLength - offset;
     else
         realCount = count;
 
     String newStr = m_data;
     newStr.remove(offset, realCount);
 
     setDataAndUpdate(newStr, offset, count, 0, recalcStyleBehavior);
 
     document().didRemoveText(this, offset, realCount);
 }
 
 void CharacterData::replaceData(unsigned offset, unsigned count, const String& data, ExceptionState& exceptionState)
 {
-    if (offset > length()) {
+    const unsigned dataLength = length();
+
+    if (offset > dataLength) {
         exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length()) + ").");
         return;
     }
 
+    if (count > (dataLength - offset)) {
+        exceptionState.throwDOMException(IndexSizeError, "Cannot replace " + String::number(count) + " characters, this is greater than the node's length with the given offset.");
+        return;
+    }
+
     unsigned realCount;
-    if (offset + count > length())
-        realCount = length() - offset;
+    if (offset + count > dataLength)
+        realCount = dataLength - offset;
     else
         realCount = count;
 
     String newStr = m_data;
     newStr.remove(offset, realCount);
     newStr.insert(data, offset);
 
     setDataAndUpdate(newStr, offset, count, data.length());
 
     // update the markers for spell checking and grammar checking
@@ skipping 55 matching lines @@
 {
     return static_cast<int>(length());
 }
 
 bool CharacterData::offsetInCharacters() const
 {
     return true;
 }
 
 } // namespace WebCore