Source/core/dom/CharacterData.cpp - Issue 268523002: Merge 171165 "Add CharacterData.deleteData()/replaceData() overf..."

Unified Diff: Source/core/dom/CharacterData.cpp

Issue 268523002: Merge 171165 "Add CharacterData.deleteData()/replaceData() overf..." (Closed) Base URL: svn://svn.chromium.org/blink/branches/chromium/1847/

Patch Set: Created 6 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « LayoutTests/fast/dom/Range/deleteData-replaceData-count-overflow-expected.txt ('k') | Source/core/editing/FrameSelection.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: Source/core/dom/CharacterData.cpp

===================================================================

--- Source/core/dom/CharacterData.cpp (revision 173027)

+++ Source/core/dom/CharacterData.cpp (working copy)

@@ -33,9 +33,8 @@

#include "core/events/MutationEvent.h"

#include "core/events/ThreadLocalEventNames.h"

#include "core/inspector/InspectorInstrumentation.h"

+#include "wtf/CheckedArithmetic.h"

-using namespace std;

namespace WebCore {

void CharacterData::atomize()

@@ -106,45 +105,49 @@

document().didInsertText(this, offset, data.length());

}

-void CharacterData::deleteData(unsigned offset, unsigned count, ExceptionState& exceptionState, RecalcStyleBehavior recalcStyleBehavior)

+static bool validateOffsetCount(unsigned offset, unsigned count, unsigned length, unsigned& realCount, ExceptionState& exceptionState)

{

- if (offset > length()) {

- exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length()) + ").");

- return;

+ if (offset > length) {

+ exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length) + ").");

+ return false;

}

- unsigned realCount;

- if (offset + count > length())

- realCount = length() - offset;

+ Checked<unsigned, RecordOverflow> offsetCount = offset;

+ offsetCount += count;

+ if (offsetCount.hasOverflowed() || offset + count > length)

+ realCount = length - offset;

else

realCount = count;

+ return true;

+void CharacterData::deleteData(unsigned offset, unsigned count, ExceptionState& exceptionState, RecalcStyleBehavior recalcStyleBehavior)

+ unsigned realCount;

+ if (!validateOffsetCount(offset, count, length(), realCount, exceptionState))

+ return;

String newStr = m_data;

newStr.remove(offset, realCount);

- setDataAndUpdate(newStr, offset, count, 0, recalcStyleBehavior);

+ setDataAndUpdate(newStr, offset, realCount, 0, recalcStyleBehavior);

document().didRemoveText(this, offset, realCount);

}

void CharacterData::replaceData(unsigned offset, unsigned count, const String& data, ExceptionState& exceptionState)

{

- if (offset > length()) {

- exceptionState.throwDOMException(IndexSizeError, "The offset " + String::number(offset) + " is greater than the node's length (" + String::number(length()) + ").");

+ unsigned realCount;

+ if (!validateOffsetCount(offset, count, length(), realCount, exceptionState))

return;

- }

- unsigned realCount;

- if (offset + count > length())

- realCount = length() - offset;

- else

- realCount = count;

String newStr = m_data;

newStr.remove(offset, realCount);

newStr.insert(data, offset);

- setDataAndUpdate(newStr, offset, count, data.length());

+ setDataAndUpdate(newStr, offset, realCount, data.length());

// update the markers for spell checking and grammar checking

document().didRemoveText(this, offset, realCount);