Bug 1113005 - Copy only the necessary number of bytes from the source buffer; r=froydnj
authorEhsan Akhgari <ehsan@mozilla.com>
Sat, 20 Dec 2014 10:25:02 -0500
changeset 220729 663e8640e19681aaa1c137fdd29035abc972bf4e
parent 220728 592ac8d27270b29181053dd209cb93e70e608a53
child 220730 fa443367d637e3ec05de1fca2920a7662a6520a1
push id27996
push userphilringnalda@gmail.com
push dateSat, 20 Dec 2014 20:17:43 +0000
treeherdermozilla-central@ba0dc109a8f8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfroydnj
bugs1113005
milestone37.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1113005 - Copy only the necessary number of bytes from the source buffer; r=froydnj
xpcom/string/crashtests/1113005-frame.html
xpcom/string/crashtests/1113005.html
xpcom/string/crashtests/crashtests.list
xpcom/string/nsTStringObsolete.cpp
new file mode 100644
--- /dev/null
+++ b/xpcom/string/crashtests/1113005-frame.html
@@ -0,0 +1,5 @@
+<form method=post enctype=multipart/form-data action="data:text/html,"><textarea name='file"; filename="filename.ext
+ '></textarea>
+<script>
+document.forms[0].submit();
+</script>
new file mode 100644
--- /dev/null
+++ b/xpcom/string/crashtests/1113005.html
@@ -0,0 +1,2 @@
+<!DOCTYPE html>
+<iframe src="1113005-frame.html"></iframe>
--- a/xpcom/string/crashtests/crashtests.list
+++ b/xpcom/string/crashtests/crashtests.list
@@ -1,2 +1,3 @@
 load 394275-1.html
 load 395651-1.html
+load 1113005.html
--- a/xpcom/string/nsTStringObsolete.cpp
+++ b/xpcom/string/nsTStringObsolete.cpp
@@ -494,23 +494,26 @@ nsTString_CharT::ReplaceSubstring( const
   // found, and there's nothing to do.
   if (nonMatching.Length() == 1) {
     MOZ_ASSERT(nonMatching[0].mBegin == 0 && nonMatching[0].mLength == mLength,
                "We should have the correct non-matching segment.");
     return;
   }
 
   // Make sure that we can mutate our buffer.
+  // Note that we always allocate at least an mLength sized buffer, because the
+  // rest of the algorithm relies on having access to all of the original
+  // string.  In other words, we over-allocate in the shrinking case.
   char_type* oldData;
   uint32_t oldFlags;
   if (!MutatePrep(XPCOM_MAX(mLength, newLength), &oldData, &oldFlags))
     return;
   if (oldData) {
     // Copy all of the old data to the new buffer.
-    char_traits::copy(mData, oldData, XPCOM_MAX(mLength, newLength));
+    char_traits::copy(mData, oldData, mLength);
     ::ReleaseData(oldData, oldFlags);
   }
 
   if (aTarget.Length() >= aNewValue.Length()) {
     // In the shrinking case, start filling the buffer from the beginning.
     const uint32_t delta = (aTarget.Length() - aNewValue.Length());
     for (i = 1; i < nonMatching.Length(); ++i) {
       // When we move the i'th non-matching segment into position, we need to