[webkit-changes] [93135] branches/safari-534.51-branch/Source

Tue, 16 Aug 2011 11:44:11 -0700

Title: [93135] branches/safari-534.51-branch/Source

Diff

Modified: branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog (93134 => 93135)


--- branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog	2011-08-16 18:39:52 UTC (rev 93134)
+++ branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog	2011-08-16 18:44:01 UTC (rev 93135)
@@ -1,3 +1,22 @@
+2011-08-16  Lucas Forschler  <[email protected]>
+
+    Merged 88444
+
+    2011-06-08  Mikołaj Małecki  <[email protected]>
+
+            Reviewed by Pavel Feldman.
+
+            Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
+            https://bugs.webkit.org/show_bug.cgi?id=52791
+
+            No new tests. The problem can be reproduced by trying to create InspectorValue
+            from 1.0e-100 and call ->toJSONString() on this.
+
+            * _javascript_Core.exp:
+            * _javascript_Core.vcproj/_javascript_Core/_javascript_Core.def:
+            export 2 functions DecimalNumber::bufferLengthForStringExponential and
+            DecimalNumber::toStringExponential.
+
 2011-08-11  Lucas Forschler  <[email protected]>
 
     Merged 92986

Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (93134 => 93135)


--- branches/safari-534.51-branch/Source/WebCore/ChangeLog	2011-08-16 18:39:52 UTC (rev 93134)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog	2011-08-16 18:44:01 UTC (rev 93135)
@@ -1,3 +1,22 @@
+2011-08-16  Lucas Forschler  <[email protected]>
+
+    Merged 88444
+
+    2011-06-08  Mikołaj Małecki  <[email protected]>
+
+            Reviewed by Pavel Feldman.
+
+            Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
+            https://bugs.webkit.org/show_bug.cgi?id=52791
+
+            No new tests. The problem can be reproduced by trying to create InspectorValue
+            from 1.0e-100 and call ->toJSONString() on this.
+
+            * inspector/InspectorValues.cpp:
+            (WebCore::InspectorBasicValue::writeJSON):
+            Added checking the predicted buffer size and choosing exponential format, or
+            eventually "NaN" if the buffer is too small for decimal format.
+
 2011-08-11  Lucas Forschler  <[email protected]>
 
     Merged 92692

Modified: branches/safari-534.51-branch/Source/WebCore/inspector/InspectorValues.cpp (93134 => 93135)


--- branches/safari-534.51-branch/Source/WebCore/inspector/InspectorValues.cpp	2011-08-16 18:39:52 UTC (rev 93134)
+++ branches/safari-534.51-branch/Source/WebCore/inspector/InspectorValues.cpp	2011-08-16 18:44:01 UTC (rev 93135)
@@ -620,7 +620,18 @@
             output->append(falseString, 5);
     } else if (type() == TypeNumber) {
         NumberToStringBuffer buffer;
-        unsigned length = DecimalNumber(m_doubleValue).toStringDecimal(buffer, WTF::NumberToStringBufferLength);
+        DecimalNumber decimal = m_doubleValue;
+        unsigned length = 0;
+        if (decimal.bufferLengthForStringDecimal() > WTF::NumberToStringBufferLength) {
+            // Not enough room for decimal. Use exponential format.
+            if (decimal.bufferLengthForStringExponential() > WTF::NumberToStringBufferLength) {
+                // Fallback for an abnormal case if it's too little even for exponential.
+                output->append("NaN", 3);
+                return;
+            }
+            length = decimal.toStringExponential(buffer, WTF::NumberToStringBufferLength);
+        } else
+            length = decimal.toStringDecimal(buffer, WTF::NumberToStringBufferLength);
         output->append(buffer, length);
     }
 }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to