Bug 1171603 - Better size check in nsTSubstring::ReplacePrep. r=ehsan

--HG-- extra : rebase_source : a42342c8f82cb00e1e1b9b9673fc1e290fb9cf23
2024-10-08 02:14:43 +00:00 · 2015-07-06 14:27:35 -04:00 · 2015-07-06 14:27:35 -04:00 · b6e7f5efcf
commit b6e7f5efcf
parent db3a3881cf
2 changed files with 27 additions and 12 deletions
--- a/xpcom/string/nsTSubstring.cpp
+++ b/xpcom/string/nsTSubstring.cpp
@ -4,6 +4,7 @@
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

+#include "mozilla/CheckedInt.h"
 #include "mozilla/double-conversion.h"
 #include "mozilla/MemoryReporting.h"

@ -160,6 +161,31 @@ nsTSubstring_CharT::Finalize()
  // mData, mLength, and mFlags are purposefully left dangling
 }

+bool
+nsTSubstring_CharT::ReplacePrep(index_type aCutStart,
+                                size_type aCutLength,
+                                size_type aNewLength)
+{
+  aCutLength = XPCOM_MIN(aCutLength, mLength - aCutStart);
+
+  mozilla::CheckedInt<size_type> newTotalLen = mLength;
+  newTotalLen += aNewLength;
+  newTotalLen -= aCutLength;
+  if (!newTotalLen.isValid()) {
+    return false;
+  }
+
+  if (aCutStart == mLength && Capacity() > newTotalLen.value()) {
+    mFlags &= ~F_VOIDED;
+    mData[newTotalLen.value()] = char_type(0);
+    mLength = newTotalLen.value();
+    return true;
+  }
+
+  return ReplacePrepInternal(aCutStart, aCutLength, aNewLength,
+                             newTotalLen.value());
+}
+
 bool
 nsTSubstring_CharT::ReplacePrepInternal(index_type aCutStart, size_type aCutLen,
                                        size_type aFragLen, size_type aNewLen)
--- a/xpcom/string/nsTSubstring.h
+++ b/xpcom/string/nsTSubstring.h
@ -997,18 +997,7 @@ protected:
   */
  MOZ_WARN_UNUSED_RESULT bool ReplacePrep(index_type aCutStart,
                                          size_type aCutLength,
-                                          size_type aNewLength)
-  {
-    aCutLength = XPCOM_MIN(aCutLength, mLength - aCutStart);
-    uint32_t newTotalLen = mLength - aCutLength + aNewLength;
-    if (aCutStart == mLength && Capacity() > newTotalLen) {
-      mFlags &= ~F_VOIDED;
-      mData[newTotalLen] = char_type(0);
-      mLength = newTotalLen;
-      return true;
-    }
-    return ReplacePrepInternal(aCutStart, aCutLength, aNewLength, newTotalLen);
-  }
+                                          size_type aNewLength);

  MOZ_WARN_UNUSED_RESULT bool NS_FASTCALL ReplacePrepInternal(
    index_type aCutStart,