Source/core/dom/CharacterData.cpp - Issue 188693007: Added checks for integer overflow conditions to deleteData and replaceData.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: Source/core/dom/CharacterData.cpp

Issue 188693007: Added checks for integer overflow conditions to deleteData and replaceData. Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Fixed typo Created 6 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« LayoutTests/fast/dom/Range/deleteData-replaceData-count-overflow.html ('K') | « LayoutTests/fast/dom/Range/deleteData-replaceData-count-overflow-expected.txt ('k') | Source/core/editing/FrameSelection.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: Source/core/dom/CharacterData.cpp

diff --git a/Source/core/dom/CharacterData.cpp b/Source/core/dom/CharacterData.cpp

index 4b2a386d810f14a7bf786591d64de0a3c7439cbf..36b28b75c841b0c3d0464c57e2a821ee4ac587af 100644

--- a/Source/core/dom/CharacterData.cpp

+++ b/Source/core/dom/CharacterData.cpp

@@ -108,14 +108,21 @@ void CharacterData::insertData(unsigned offset, const String& data, ExceptionSta

void CharacterData::deleteData(unsigned offset, unsigned count, ExceptionState& exceptionState, RecalcStyleBehavior recalcStyleBehavior)

{

- if (offset > length()) {

+ const unsigned dataLength = length();

+ if (offset > dataLength) {

exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length()) + ").");

return;

}

+ if (count > (dataLength - offset)) {

sof 2014/03/19 11:40:18 If not already, you may want to consider handling

+ exceptionState.throwDOMException(IndexSizeError, "Cannot delete " + String::number(count) + " characters, this is greater than the node's length with the given offset.");

+ return;

+ }

unsigned realCount;

- if (offset + count > length())

- realCount = length() - offset;

+ if (offset + count > dataLength)

+ realCount = dataLength - offset;

else

realCount = count;

@@ -129,14 +136,21 @@ void CharacterData::deleteData(unsigned offset, unsigned count, ExceptionState&

void CharacterData::replaceData(unsigned offset, unsigned count, const String& data, ExceptionState& exceptionState)

{