[webkit-changes] [261537] trunk/Source/WTF

Mon, 11 May 2020 19:00:01 -0700

Title: [261537] trunk/Source/WTF
Revision
261537
Author
[email protected]
Date
2020-05-11 18:58:39 -0700 (Mon, 11 May 2020)

Log Message

[WTF] CStringBuffer::createUninitialized() should use Checked<size_t>
<https://webkit.org/b/211746>
<rdar://problem/62729848>

Reviewed by Darin Adler.

* wtf/text/CString.cpp:
(WTF::CStringBuffer::createUninitialized):
- Switch from RELEASE_ASSERT() to Checked<size_t>() for overflow
  check.  RELEASE_ASSERT() was using the wrong type, too.

Modified Paths

Diff

Modified: trunk/Source/WTF/ChangeLog (261536 => 261537)


--- trunk/Source/WTF/ChangeLog	2020-05-12 01:28:40 UTC (rev 261536)
+++ trunk/Source/WTF/ChangeLog	2020-05-12 01:58:39 UTC (rev 261537)
@@ -1,3 +1,16 @@
+2020-05-11  David Kilzer  <[email protected]>
+
+        [WTF] CStringBuffer::createUninitialized() should use Checked<size_t>
+        <https://webkit.org/b/211746>
+        <rdar://problem/62729848>
+
+        Reviewed by Darin Adler.
+
+        * wtf/text/CString.cpp:
+        (WTF::CStringBuffer::createUninitialized):
+        - Switch from RELEASE_ASSERT() to Checked<size_t>() for overflow
+          check.  RELEASE_ASSERT() was using the wrong type, too.
+
 2020-05-11  Ryan Haddad  <[email protected]>
 
         Unreviewed, reverting r261440.

Modified: trunk/Source/WTF/wtf/text/CString.cpp (261536 => 261537)


--- trunk/Source/WTF/wtf/text/CString.cpp	2020-05-12 01:28:40 UTC (rev 261536)
+++ trunk/Source/WTF/wtf/text/CString.cpp	2020-05-12 01:58:39 UTC (rev 261537)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -28,6 +28,7 @@
 #include <wtf/text/CString.h>
 
 #include <string.h>
+#include <wtf/CheckedArithmetic.h>
 #include <wtf/NeverDestroyed.h>
 #include <wtf/text/StringHasher.h>
 
@@ -37,11 +38,9 @@
 
 Ref<CStringBuffer> CStringBuffer::createUninitialized(size_t length)
 {
-    RELEASE_ASSERT(length < (std::numeric_limits<unsigned>::max() - sizeof(CStringBuffer)));
-
     // The +1 is for the terminating null character.
-    size_t size = sizeof(CStringBuffer) + length + 1;
-    CStringBuffer* stringBuffer = static_cast<CStringBuffer*>(CStringBufferMalloc::malloc(size));
+    auto size = (Checked<size_t>(sizeof(CStringBuffer)) + length + 1U).unsafeGet();
+    auto* stringBuffer = static_cast<CStringBuffer*>(CStringBufferMalloc::malloc(size));
     return adoptRef(*new (NotNull, stringBuffer) CStringBuffer(length));
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to