[webkit-changes] [201121] trunk/Source/WTF

[sbarati]

Title: [201121] trunk/Source/WTF

Revision

201121

Author

sbar...@apple.com

Date

2016-05-18 18:01:21 -0700 (Wed, 18 May 2016)

Log Message

StringBuilder::appendQuotedJSONString doesn't properly protect against the math it's doing. Make the math fit the assertion.
https://bugs.webkit.org/show_bug.cgi?id=157868

Reviewed by Benjamin Poulain.

appendQuotedJSONString was rounding up to the next power of two when resizing
its buffer. Lets call the allocation size X. If X > 2^31, then
roundUpToPowerOfTwo(X) == 0. This patch fixes this by making the
assertion reflect what the code is doing. We now allocate to a size
of X = std::max(maximumCapacityRequired , roundUpToPowerOfTwo(maximumCapacityRequired))

* wtf/text/StringBuilder.cpp:
(WTF::StringBuilder::appendQuotedJSONString):

Modified Paths

• trunk/Source/WTF/ChangeLog
• trunk/Source/WTF/wtf/text/StringBuilder.cpp

Diff

Modified: trunk/Source/WTF/ChangeLog (201120 => 201121)

--- trunk/Source/WTF/ChangeLog	2016-05-19 00:45:16 UTC (rev 201120)
+++ trunk/Source/WTF/ChangeLog	2016-05-19 01:01:21 UTC (rev 201121)
@@ -1,3 +1,19 @@
+2016-05-18  Saam barati  <sbar...@apple.com>
+
+        StringBuilder::appendQuotedJSONString doesn't properly protect against the math it's doing. Make the math fit the assertion.
+        https://bugs.webkit.org/show_bug.cgi?id=157868
+
+        Reviewed by Benjamin Poulain.
+
+        appendQuotedJSONString was rounding up to the next power of two when resizing
+        its buffer. Lets call the allocation size X. If X > 2^31, then
+        roundUpToPowerOfTwo(X) == 0. This patch fixes this by making the
+        assertion reflect what the code is doing. We now allocate to a size
+        of X = std::max(maximumCapacityRequired , roundUpToPowerOfTwo(maximumCapacityRequired))
+
+        * wtf/text/StringBuilder.cpp:
+        (WTF::StringBuilder::appendQuotedJSONString):
+
 2016-05-17  Joseph Pecoraro  <pecor...@apple.com>
 
         REGRESSION(r192855): Math.random() always produces the same first 7 decimal points the first two invocations

Modified: trunk/Source/WTF/wtf/text/StringBuilder.cpp (201120 => 201121)

--- trunk/Source/WTF/wtf/text/StringBuilder.cpp	2016-05-19 00:45:16 UTC (rev 201120)
+++ trunk/Source/WTF/wtf/text/StringBuilder.cpp	2016-05-19 01:01:21 UTC (rev 201121)
@@ -414,11 +414,14 @@
     // The 6 is for characters that need to be \uNNNN encoded.
     size_t maximumCapacityRequired = length() + 2 + string.length() * 6;
     RELEASE_ASSERT(maximumCapacityRequired < std::numeric_limits<unsigned>::max());
+    unsigned allocationSize = maximumCapacityRequired;
+    // This max() is here to allow us to allocate sizes between the range [2^31, 2^32 - 2] because roundUpToPowerOfTwo(1<<31 + some int smaller than 1<<31) == 0.
+    allocationSize = std::max(allocationSize, roundUpToPowerOfTwo(allocationSize));
 
     if (is8Bit() && !string.is8Bit())
-        allocateBufferUpConvert(m_bufferCharacters8, roundUpToPowerOfTwo(maximumCapacityRequired));
+        allocateBufferUpConvert(m_bufferCharacters8, allocationSize);
     else
-        reserveCapacity(roundUpToPowerOfTwo(maximumCapacityRequired));
+        reserveCapacity(allocationSize);
 
     if (is8Bit()) {
         ASSERT(string.is8Bit());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes