gecko: changeset 89410:0b24813652b150f6201e950d857c0a603ccfaa10

--- a/js/src/vm/StringBuffer-inl.h
+++ b/js/src/vm/StringBuffer-inl.h
@@ -9,48 +9,66 @@
 
 #include "vm/StringBuffer.h"
 
 #include "vm/String-inl.h"
 
 namespace js {
 
 inline bool
+StringBuffer::checkLength(size_t length)
+{
+    return JSString::validateLength(context(), length);
+}
+
+inline bool
 StringBuffer::reserve(size_t len)
 {
+    if (!checkLength(len))
+        return false;
     return cb.reserve(len);
 }
 
 inline bool
 StringBuffer::resize(size_t len)
 {
+    if (!checkLength(len))
+        return false;
     return cb.resize(len);
 }
 
 inline bool
 StringBuffer::append(const jschar c)
 {
+    if (!checkLength(cb.length() + 1))
+        return false;
     return cb.append(c);
 }
 
 inline bool
 StringBuffer::append(const jschar *chars, size_t len)
 {
+    if (!checkLength(cb.length() + len))
+        return false;
     return cb.append(chars, len);
 }
 
 inline bool
 StringBuffer::append(const jschar *begin, const jschar *end)
 {
+    if (!checkLength(cb.length() + (end - begin)))
+        return false;
     return cb.append(begin, end);
 }
 
 inline bool
 StringBuffer::appendN(const jschar c, size_t n)
 {
+    if (!checkLength(cb.length() + n))
+        return false;
     return cb.appendN(c, n);
 }
 
 /* ES5 9.8 ToString, appending the result to the string buffer. */
 extern bool
 ValueToStringBufferSlow(JSContext *cx, const Value &v, StringBuffer &sb);
 
 inline bool

--- a/js/src/vm/StringBuffer.cpp
+++ b/js/src/vm/StringBuffer.cpp
@@ -42,18 +42,17 @@ StringBuffer::extractWellSized()
 JSFixedString *
 StringBuffer::finishString()
 {
     JSContext *cx = context();
     if (cb.empty())
         return cx->runtime->atomState.emptyAtom;
 
     size_t length = cb.length();
-    if (!JSString::validateLength(cx, length))
-        return NULL;
+    JS_ASSERT(checkLength(length));
 
     JS_STATIC_ASSERT(JSShortString::MAX_SHORT_LENGTH < CharBuffer::InlineLength);
     if (JSShortString::lengthFits(length))
         return NewShortString(cx, cb.begin(), length);
 
     if (!cb.append('\0'))
         return NULL;

--- a/js/src/vm/StringBuffer.h
+++ b/js/src/vm/StringBuffer.h
@@ -29,16 +29,17 @@ namespace js {
  */
 class StringBuffer
 {
     /* cb's buffer is taken by the new string so use ContextAllocPolicy. */
     typedef Vector<jschar, 32, ContextAllocPolicy> CharBuffer;
 
     CharBuffer cb;
 
+    inline bool checkLength(size_t length);
     JSContext *context() const { return cb.allocPolicy().context(); }
     jschar *extractWellSized();
 
     StringBuffer(const StringBuffer &other) MOZ_DELETE;
     void operator=(const StringBuffer &other) MOZ_DELETE;
 
   public:
     explicit StringBuffer(JSContext *cx) : cb(cx) { }

author	Jeff Walden <jwalden@mit.edu>
	Wed, 14 Mar 2012 15:24:51 -0700
changeset 89410	0b24813652b150f6201e950d857c0a603ccfaa10
parent 89409	cb66ae517284fae3162cedeb78a3687fbfa0173d
child 89411	4b9a25a297c99a13a5711a011bfaa6078be1f943
push id	1
push user	root
push date	Mon, 20 Oct 2014 17:29:22 +0000
reviewers	bustage
bugs	735313
milestone	14.0a1

js/src/vm/StringBuffer-inl.h		file \| annotate \| diff \| comparison \| revisions
js/src/vm/StringBuffer.cpp		file \| annotate \| diff \| comparison \| revisions
js/src/vm/StringBuffer.h		file \| annotate \| diff \| comparison \| revisions