Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(630)

Unified Diff: Source/core/dom/CharacterData.cpp

Issue 229793004: Add CharacterData.deleteData()/replaceData() overflow handling. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 6 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: Source/core/dom/CharacterData.cpp
diff --git a/Source/core/dom/CharacterData.cpp b/Source/core/dom/CharacterData.cpp
index 1291365538649d3f7a835f7648e3da4a7d0e7de4..7b28b43dfd7f4b9c85ec2220a7cc31e2a04eaa1d 100644
--- a/Source/core/dom/CharacterData.cpp
+++ b/Source/core/dom/CharacterData.cpp
@@ -32,8 +32,7 @@
#include "core/editing/FrameSelection.h"
#include "core/events/MutationEvent.h"
#include "core/inspector/InspectorInstrumentation.h"
-
-using namespace std;
+#include "wtf/CheckedArithmetic.h"
namespace WebCore {
@@ -105,45 +104,49 @@ void CharacterData::insertData(unsigned offset, const String& data, ExceptionSta
document().didInsertText(this, offset, data.length());
}
-void CharacterData::deleteData(unsigned offset, unsigned count, ExceptionState& exceptionState, RecalcStyleBehavior recalcStyleBehavior)
+static bool validateOffsetCount(unsigned offset, unsigned count, unsigned length, unsigned& realCount, ExceptionState& exceptionState)
{
- if (offset > length()) {
- exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length()) + ").");
- return;
+ if (offset > length) {
+ exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length) + ").");
+ return false;
}
- unsigned realCount;
- if (offset + count > length())
- realCount = length() - offset;
+ Checked<unsigned, RecordOverflow> offsetCount = offset;
+ offsetCount += count;
+
+ if (offsetCount.hasOverflowed() || offset + count > length)
+ realCount = length - offset;
else
realCount = count;
+ return true;
+}
+
+void CharacterData::deleteData(unsigned offset, unsigned count, ExceptionState& exceptionState, RecalcStyleBehavior recalcStyleBehavior)
+{
+ unsigned realCount;
+ if (!validateOffsetCount(offset, count, length(), realCount, exceptionState))
+ return;
+
String newStr = m_data;
newStr.remove(offset, realCount);
- setDataAndUpdate(newStr, offset, count, 0, recalcStyleBehavior);
+ setDataAndUpdate(newStr, offset, realCount, 0, recalcStyleBehavior);
document().didRemoveText(this, offset, realCount);
}
void CharacterData::replaceData(unsigned offset, unsigned count, const String& data, ExceptionState& exceptionState)
{
- if (offset > length()) {
- exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length()) + ").");
- return;
- }
-
unsigned realCount;
- if (offset + count > length())
- realCount = length() - offset;
- else
- realCount = count;
+ if (!validateOffsetCount(offset, count, length(), realCount, exceptionState))
+ return;
String newStr = m_data;
newStr.remove(offset, realCount);
tapted 2014/04/10 03:16:18 [sheriff] hi there! gcc is generating a warning he
sof 2014/04/10 06:58:54 Thanks (what gcc version?) https://codereview.chr
newStr.insert(data, offset);
- setDataAndUpdate(newStr, offset, count, data.length());
+ setDataAndUpdate(newStr, offset, realCount, data.length());
// update the markers for spell checking and grammar checking
document().didRemoveText(this, offset, realCount);
« no previous file with comments | « LayoutTests/fast/dom/Range/deleteData-replaceData-count-overflow-expected.txt ('k') | Source/core/editing/FrameSelection.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698