[v8-dev] [v8] r3568 committed - Fix potential length-miscalculation in %StringBuilderConcat....

Fri, 08 Jan 2010 03:28:05 -0800 

Revision: 3568
Author: [email protected]
Date: Fri Jan  8 03:27:37 2010
Log: Fix potential length-miscalculation in %StringBuilderConcat.

Review URL: http://codereview.chromium.org/521074

http://code.google.com/p/v8/source/detail?r=3568

Modified:
 /branches/bleeding_edge/src/runtime.cc

=======================================
--- /branches/bleeding_edge/src/runtime.cc      Thu Jan  7 06:04:56 2010
+++ /branches/bleeding_edge/src/runtime.cc      Fri Jan  8 03:27:37 2010
@@ -1524,7 +1524,7 @@


   void IncrementCharacterCount(int by) {
-    if (character_count_ > Smi::kMaxValue - by) {
+    if (character_count_ > String::kMaxLength - by) {
       V8::FatalProcessOutOfMemory("String.replace result too large.");
     }
     character_count_ += by;
@@ -3384,6 +3384,7 @@
         escaped_length += 3;
       }
       // We don't allow strings that are longer than a maximal length.
+      ASSERT(String::kMaxLength < 0x7fffffff - 6);  // Cannot overflow.
       if (escaped_length > String::kMaxLength) {
         Top::context()->mark_out_of_memory();
         return Failure::OutOfMemoryException();
@@ -3960,6 +3961,7 @@

   bool ascii = special->IsAsciiRepresentation();
   int position = 0;
+  int increment = 0;
   for (int i = 0; i < array_length; i++) {
     Object* elt = fixed_array->get(i);
     if (elt->IsSmi()) {
@@ -3972,10 +3974,10 @@
         if (pos + len > special_length) {
           return Top::Throw(Heap::illegal_argument_symbol());
         }
-        position += len;
+        increment = len;
       } else {
         // Position and length encoded in two smis.
-        position += (-len);
+        increment = (-len);
         // Get the position and check that it is also a smi.
         i++;
         if (i >= array_length) {
@@ -3989,17 +3991,18 @@
     } else if (elt->IsString()) {
       String* element = String::cast(elt);
       int element_length = element->length();
-      position += element_length;
+      increment = element_length;
       if (ascii && !element->IsAsciiRepresentation()) {
         ascii = false;
       }
     } else {
       return Top::Throw(Heap::illegal_argument_symbol());
     }
-    if (position > String::kMaxLength) {
+    if (increment > String::kMaxLength - position) {
       Top::context()->mark_out_of_memory();
       return Failure::OutOfMemoryException();
     }
+    position += increment;
   }

   int length = position;

-- 
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to