Add CharacterData.deleteData()/replaceData() overflow handling.

Source/core/dom/CharacterData.cpp

Index: Source/core/dom/CharacterData.cpp
diff --git a/Source/core/dom/CharacterData.cpp b/Source/core/dom/CharacterData.cpp
index 1291365538649d3f7a835f7648e3da4a7d0e7de4..7b28b43dfd7f4b9c85ec2220a7cc31e2a04eaa1d 100644
--- a/Source/core/dom/CharacterData.cpp
+++ b/Source/core/dom/CharacterData.cpp
@@ -32,8 +32,7 @@
 #include "core/editing/FrameSelection.h"
 #include "core/events/MutationEvent.h"
 #include "core/inspector/InspectorInstrumentation.h"
-
-using namespace std;
+#include "wtf/CheckedArithmetic.h"
 
 namespace WebCore {
 
@@ -105,45 +104,49 @@ void CharacterData::insertData(unsigned offset, const String& data, ExceptionSta
     document().didInsertText(this, offset, data.length());
 }
 
-void CharacterData::deleteData(unsigned offset, unsigned count, ExceptionState& exceptionState, RecalcStyleBehavior recalcStyleBehavior)
+static bool validateOffsetCount(unsigned offset, unsigned count, unsigned length, unsigned& realCount, ExceptionState& exceptionState)
 {
-    if (offset > length()) {
-        exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length()) + ").");
-        return;
+    if (offset > length) {
+        exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length) + ").");
+        return false;
     }
 
-    unsigned realCount;
-    if (offset + count > length())
-        realCount = length() - offset;
+    Checked<unsigned, RecordOverflow> offsetCount = offset;
+    offsetCount += count;
+
+    if (offsetCount.hasOverflowed() || offset + count > length)
+        realCount = length - offset;
     else
         realCount = count;
 
+    return true;
+}
+
+void CharacterData::deleteData(unsigned offset, unsigned count, ExceptionState& exceptionState, RecalcStyleBehavior recalcStyleBehavior)
+{
+    unsigned realCount;
+    if (!validateOffsetCount(offset, count, length(), realCount, exceptionState))
+        return;
+
     String newStr = m_data;
     newStr.remove(offset, realCount);
 
-    setDataAndUpdate(newStr, offset, count, 0, recalcStyleBehavior);
+    setDataAndUpdate(newStr, offset, realCount, 0, recalcStyleBehavior);
 
     document().didRemoveText(this, offset, realCount);
 }
 
 void CharacterData::replaceData(unsigned offset, unsigned count, const String& data, ExceptionState& exceptionState)
 {
-    if (offset > length()) {
-        exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length()) + ").");
-        return;
-    }
-
     unsigned realCount;
-    if (offset + count > length())
-        realCount = length() - offset;
-    else
-        realCount = count;
+    if (!validateOffsetCount(offset, count, length(), realCount, exceptionState))
+        return;
 
     String newStr = m_data;
     newStr.remove(offset, realCount);

[tapted, 2014/04/10 03:16:18]

[sheriff] hi there! gcc is generating a warning here: CharacterData.cpp:146:36:
error: 'realCount' may be used uninitialized in this function
[-Werror=maybe-uninitialized]
chromeos-chrome-36.0.1933.0_alpha-r1:      newStr.remove(offset, realCount);

It's coming up in the chrome tree, so I think we need to revert that blink roll.

[sof, 2014/04/10 06:58:54]

Thanks (what gcc version?)

https://codereview.chromium.org/232603002/ to address. Or if it results in fewer
bumps to revert this CL & combine the two, that can alternatively be done.

     newStr.insert(data, offset);
 
-    setDataAndUpdate(newStr, offset, count, data.length());
+    setDataAndUpdate(newStr, offset, realCount, data.length());
 
     // update the markers for spell checking and grammar checking
     document().didRemoveText(this, offset, realCount);