Fixing bug 534666. Limit the length of a string in a text fragment. r=jonas@sicking.cc, sr=mrbkap@gmail.com

2025-02-10 17:24:29 +00:00 · 2010-04-09 15:55:11 -07:00 · 2010-04-09 15:55:11 -07:00 · 2d424b5fc2
commit 2d424b5fc2
parent d18239a679
2 changed files with 22 additions and 10 deletions
--- a/content/base/src/nsGenericDOMDataNode.cpp
+++ b/content/base/src/nsGenericDOMDataNode.cpp
@ -297,8 +297,7 @@ nsGenericDOMDataNode::SubstringData(PRUint32 aStart, PRUint32 aCount,
 {
  aReturn.Truncate();

-  // XXX add <0 checks if types change
-  PRUint32 textLength = PRUint32( mText.GetLength() );
+  PRUint32 textLength = mText.GetLength();
  if (aStart > textLength) {
    return NS_ERROR_DOM_INDEX_SIZE_ERR;
  }
@ -366,6 +365,20 @@ nsGenericDOMDataNode::SetTextInternal(PRUint32 aOffset, PRUint32 aCount,
    return NS_ERROR_DOM_INDEX_SIZE_ERR;
  }

+  if (aCount > textLength - aOffset) {
+    aCount = textLength - aOffset;
+  }
+
+  PRUint32 endOffset = aOffset + aCount;
+
+  // Make sure the text fragment can hold the new data.
+  if (aLength > aCount && !mText.CanGrowBy(aLength - aCount)) {
+    // This exception isn't per spec, but the spec doesn't actually
+    // say what to do here.
+
+    return NS_ERROR_DOM_DOMSTRING_SIZE_ERR;
+  }
+
  nsIDocument *document = GetCurrentDoc();
  mozAutoDocUpdate updateBatch(document, UPDATE_CONTENT_MODEL, aNotify);

@ -379,12 +392,6 @@ nsGenericDOMDataNode::SetTextInternal(PRUint32 aOffset, PRUint32 aCount,
    oldValue = GetCurrentValueAtom();
  }
    
-  PRUint32 endOffset = aOffset + aCount;
-  if (endOffset > textLength) {
-    aCount = textLength - aOffset;
-    endOffset = textLength;
-  }
-
  if (aNotify) {
    CharacterDataChangeInfo info = {
      aOffset == textLength,
@ -412,10 +419,10 @@ nsGenericDOMDataNode::SetTextInternal(PRUint32 aOffset, PRUint32 aCount,
    NS_ENSURE_TRUE(to, NS_ERROR_OUT_OF_MEMORY);

    // Copy over appropriate data
-    if (0 != aOffset) {
+    if (aOffset) {
      mText.CopyTo(to, 0, aOffset);
    }
-    if (0 != aLength) {
+    if (aLength) {
      memcpy(to + aOffset, aBuffer, aLength * sizeof(PRUnichar));
    }
    if (endOffset != textLength) {
--- a/content/base/src/nsTextFragment.h
+++ b/content/base/src/nsTextFragment.h
@ -146,6 +146,11 @@ public:
    return mState.mLength;
  }

+  PRBool CanGrowBy(size_t n) const
+  {
+    return n < (1 << 29) && mState.mLength + n < (1 << 29);
+  }
+
  /**
   * Change the contents of this fragment to be a copy of the given
   * buffer.