Index: Source/core/dom/CharacterData.cpp |
diff --git a/Source/core/dom/CharacterData.cpp b/Source/core/dom/CharacterData.cpp |
index 1291365538649d3f7a835f7648e3da4a7d0e7de4..7b28b43dfd7f4b9c85ec2220a7cc31e2a04eaa1d 100644 |
--- a/Source/core/dom/CharacterData.cpp |
+++ b/Source/core/dom/CharacterData.cpp |
@@ -32,8 +32,7 @@ |
#include "core/editing/FrameSelection.h" |
#include "core/events/MutationEvent.h" |
#include "core/inspector/InspectorInstrumentation.h" |
- |
-using namespace std; |
+#include "wtf/CheckedArithmetic.h" |
namespace WebCore { |
@@ -105,45 +104,49 @@ void CharacterData::insertData(unsigned offset, const String& data, ExceptionSta |
document().didInsertText(this, offset, data.length()); |
} |
-void CharacterData::deleteData(unsigned offset, unsigned count, ExceptionState& exceptionState, RecalcStyleBehavior recalcStyleBehavior) |
+static bool validateOffsetCount(unsigned offset, unsigned count, unsigned length, unsigned& realCount, ExceptionState& exceptionState) |
{ |
- if (offset > length()) { |
- exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length()) + ")."); |
- return; |
+ if (offset > length) { |
+ exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length) + ")."); |
+ return false; |
} |
- unsigned realCount; |
- if (offset + count > length()) |
- realCount = length() - offset; |
+ Checked<unsigned, RecordOverflow> offsetCount = offset; |
+ offsetCount += count; |
+ |
+ if (offsetCount.hasOverflowed() || offset + count > length) |
+ realCount = length - offset; |
else |
realCount = count; |
+ return true; |
+} |
+ |
+void CharacterData::deleteData(unsigned offset, unsigned count, ExceptionState& exceptionState, RecalcStyleBehavior recalcStyleBehavior) |
+{ |
+ unsigned realCount; |
+ if (!validateOffsetCount(offset, count, length(), realCount, exceptionState)) |
+ return; |
+ |
String newStr = m_data; |
newStr.remove(offset, realCount); |
- setDataAndUpdate(newStr, offset, count, 0, recalcStyleBehavior); |
+ setDataAndUpdate(newStr, offset, realCount, 0, recalcStyleBehavior); |
document().didRemoveText(this, offset, realCount); |
} |
void CharacterData::replaceData(unsigned offset, unsigned count, const String& data, ExceptionState& exceptionState) |
{ |
- if (offset > length()) { |
- exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length()) + ")."); |
- return; |
- } |
- |
unsigned realCount; |
- if (offset + count > length()) |
- realCount = length() - offset; |
- else |
- realCount = count; |
+ if (!validateOffsetCount(offset, count, length(), realCount, exceptionState)) |
+ return; |
String newStr = m_data; |
newStr.remove(offset, realCount); |
tapted
2014/04/10 03:16:18
[sheriff] hi there! gcc is generating a warning he
sof
2014/04/10 06:58:54
Thanks (what gcc version?)
https://codereview.chr
|
newStr.insert(data, offset); |
- setDataAndUpdate(newStr, offset, count, data.length()); |
+ setDataAndUpdate(newStr, offset, realCount, data.length()); |
// update the markers for spell checking and grammar checking |
document().didRemoveText(this, offset, realCount); |