Title: [201121] trunk/Source/WTF
- Revision
- 201121
- Author
- sbar...@apple.com
- Date
- 2016-05-18 18:01:21 -0700 (Wed, 18 May 2016)
Log Message
StringBuilder::appendQuotedJSONString doesn't properly protect against the math it's doing. Make the math fit the assertion.
https://bugs.webkit.org/show_bug.cgi?id=157868
Reviewed by Benjamin Poulain.
appendQuotedJSONString was rounding up to the next power of two when resizing
its buffer. Lets call the allocation size X. If X > 2^31, then
roundUpToPowerOfTwo(X) == 0. This patch fixes this by making the
assertion reflect what the code is doing. We now allocate to a size
of X = std::max(maximumCapacityRequired , roundUpToPowerOfTwo(maximumCapacityRequired))
* wtf/text/StringBuilder.cpp:
(WTF::StringBuilder::appendQuotedJSONString):
Modified Paths
Diff
Modified: trunk/Source/WTF/ChangeLog (201120 => 201121)
--- trunk/Source/WTF/ChangeLog 2016-05-19 00:45:16 UTC (rev 201120)
+++ trunk/Source/WTF/ChangeLog 2016-05-19 01:01:21 UTC (rev 201121)
@@ -1,3 +1,19 @@
+2016-05-18 Saam barati <sbar...@apple.com>
+
+ StringBuilder::appendQuotedJSONString doesn't properly protect against the math it's doing. Make the math fit the assertion.
+ https://bugs.webkit.org/show_bug.cgi?id=157868
+
+ Reviewed by Benjamin Poulain.
+
+ appendQuotedJSONString was rounding up to the next power of two when resizing
+ its buffer. Lets call the allocation size X. If X > 2^31, then
+ roundUpToPowerOfTwo(X) == 0. This patch fixes this by making the
+ assertion reflect what the code is doing. We now allocate to a size
+ of X = std::max(maximumCapacityRequired , roundUpToPowerOfTwo(maximumCapacityRequired))
+
+ * wtf/text/StringBuilder.cpp:
+ (WTF::StringBuilder::appendQuotedJSONString):
+
2016-05-17 Joseph Pecoraro <pecor...@apple.com>
REGRESSION(r192855): Math.random() always produces the same first 7 decimal points the first two invocations
Modified: trunk/Source/WTF/wtf/text/StringBuilder.cpp (201120 => 201121)
--- trunk/Source/WTF/wtf/text/StringBuilder.cpp 2016-05-19 00:45:16 UTC (rev 201120)
+++ trunk/Source/WTF/wtf/text/StringBuilder.cpp 2016-05-19 01:01:21 UTC (rev 201121)
@@ -414,11 +414,14 @@
// The 6 is for characters that need to be \uNNNN encoded.
size_t maximumCapacityRequired = length() + 2 + string.length() * 6;
RELEASE_ASSERT(maximumCapacityRequired < std::numeric_limits<unsigned>::max());
+ unsigned allocationSize = maximumCapacityRequired;
+ // This max() is here to allow us to allocate sizes between the range [2^31, 2^32 - 2] because roundUpToPowerOfTwo(1<<31 + some int smaller than 1<<31) == 0.
+ allocationSize = std::max(allocationSize, roundUpToPowerOfTwo(allocationSize));
if (is8Bit() && !string.is8Bit())
- allocateBufferUpConvert(m_bufferCharacters8, roundUpToPowerOfTwo(maximumCapacityRequired));
+ allocateBufferUpConvert(m_bufferCharacters8, allocationSize);
else
- reserveCapacity(roundUpToPowerOfTwo(maximumCapacityRequired));
+ reserveCapacity(allocationSize);
if (is8Bit()) {
ASSERT(string.is8Bit());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes