Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-12 14:37:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 701332: Defensive refcount on string split. (r=Waldo)

Browse Source
This commit is contained in:
Chris Leary 2011-11-10 17:30:01 -08:00
parent ceadc5997e
commit 4a977d6241
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
js/src/jsstr.cpp
View File

@ -2486,13 +2486,14 @@ js::str_split(JSContext *cx, uintN argc, Value *vp)
}
/* Step 8. */
RegExpPrivate *re = NULL;
AutoRefCount<RegExpPrivate> rep(cx);
JSLinearString *sepstr = NULL;
bool sepUndefined = (argc == 0 || vp[2].isUndefined());
if (!sepUndefined) {
if (ValueIsRegExp(vp[2])) {
re = vp[2].toObject().asRegExp()->getOrCreatePrivate(cx);
if (!re)
RegExpObject *reobj = vp[2].toObject().asRegExp();
rep.reset(NeedsIncRef<RegExpPrivate>(reobj->getOrCreatePrivate(cx)));
if (!rep)
return false;
} else {
JSString *sep = js_ValueToString(cx, vp[2]);
@ -2532,8 +2533,9 @@ js::str_split(JSContext *cx, uintN argc, Value *vp)
/* Steps 11-15. */
JSObject *aobj;
if (re) {
aobj = SplitHelper(cx, strlin, limit, SplitRegExpMatcher(re, cx->regExpStatics()), type);
if (rep) {
aobj = SplitHelper(cx, strlin, limit,
SplitRegExpMatcher(rep.get(), cx->regExpStatics()), type);
} else {
// NB: sepstr is anchored through its storage in vp[2].
aobj = SplitHelper(cx, strlin, limit, SplitStringMatcher(sepstr), type);