Changeset 201121 in webkit
- Timestamp:
- May 18, 2016, 6:01:21 PM (9 years ago)
- Location:
- trunk/Source/WTF
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
wtf/text/StringBuilder.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WTF/ChangeLog
r201053 r201121 1 2016-05-18 Saam barati <sbarati@apple.com> 2 3 StringBuilder::appendQuotedJSONString doesn't properly protect against the math it's doing. Make the math fit the assertion. 4 https://bugs.webkit.org/show_bug.cgi?id=157868 5 6 Reviewed by Benjamin Poulain. 7 8 appendQuotedJSONString was rounding up to the next power of two when resizing 9 its buffer. Lets call the allocation size X. If X > 2^31, then 10 roundUpToPowerOfTwo(X) == 0. This patch fixes this by making the 11 assertion reflect what the code is doing. We now allocate to a size 12 of X = std::max(maximumCapacityRequired , roundUpToPowerOfTwo(maximumCapacityRequired)) 13 14 * wtf/text/StringBuilder.cpp: 15 (WTF::StringBuilder::appendQuotedJSONString): 16 1 17 2016-05-17 Joseph Pecoraro <pecoraro@apple.com> 2 18 -
trunk/Source/WTF/wtf/text/StringBuilder.cpp
r200626 r201121 415 415 size_t maximumCapacityRequired = length() + 2 + string.length() * 6; 416 416 RELEASE_ASSERT(maximumCapacityRequired < std::numeric_limits<unsigned>::max()); 417 unsigned allocationSize = maximumCapacityRequired; 418 // This max() is here to allow us to allocate sizes between the range [2^31, 2^32 - 2] because roundUpToPowerOfTwo(1<<31 + some int smaller than 1<<31) == 0. 419 allocationSize = std::max(allocationSize, roundUpToPowerOfTwo(allocationSize)); 417 420 418 421 if (is8Bit() && !string.is8Bit()) 419 allocateBufferUpConvert(m_bufferCharacters8, roundUpToPowerOfTwo(maximumCapacityRequired));422 allocateBufferUpConvert(m_bufferCharacters8, allocationSize); 420 423 else 421 reserveCapacity( roundUpToPowerOfTwo(maximumCapacityRequired));424 reserveCapacity(allocationSize); 422 425 423 426 if (is8Bit()) {
Note:
See TracChangeset
for help on using the changeset viewer.
