Bug 735313 - StringBuffer still needs length validation. r=luke
authorJeff Walden <jwalden@mit.edu>
Wed, 14 Mar 2012 12:41:15 -0700
changeset 89403 dc72c4a740246fcd9662e4507aa7fbf69de0de94
parent 89402 caf297562dcb9fb59619b7b2db7977587f73b2e0
child 89404 25af1ffbabcee6653351d186d83489030483daa9
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersluke
bugs735313
milestone14.0a1
Bug 735313 - StringBuffer still needs length validation. r=luke
js/src/vm/StringBuffer-inl.h
js/src/vm/StringBuffer.cpp
js/src/vm/StringBuffer.h
--- a/js/src/vm/StringBuffer-inl.h
+++ b/js/src/vm/StringBuffer-inl.h
@@ -9,66 +9,48 @@
 
 #include "vm/StringBuffer.h"
 
 #include "vm/String-inl.h"
 
 namespace js {
 
 inline bool
-StringBuffer::checkLength(size_t length)
-{
-    return JSString::validateLength(context(), length);
-}
-
-inline bool
 StringBuffer::reserve(size_t len)
 {
-    if (!checkLength(len))
-        return false;
     return cb.reserve(len);
 }
 
 inline bool
 StringBuffer::resize(size_t len)
 {
-    if (!checkLength(len))
-        return false;
     return cb.resize(len);
 }
 
 inline bool
 StringBuffer::append(const jschar c)
 {
-    if (!checkLength(cb.length() + 1))
-        return false;
     return cb.append(c);
 }
 
 inline bool
 StringBuffer::append(const jschar *chars, size_t len)
 {
-    if (!checkLength(cb.length() + len))
-        return false;
     return cb.append(chars, len);
 }
 
 inline bool
 StringBuffer::append(const jschar *begin, const jschar *end)
 {
-    if (!checkLength(cb.length() + (end - begin)))
-        return false;
     return cb.append(begin, end);
 }
 
 inline bool
 StringBuffer::appendN(const jschar c, size_t n)
 {
-    if (!checkLength(cb.length() + n))
-        return false;
     return cb.appendN(c, n);
 }
 
 /* ES5 9.8 ToString, appending the result to the string buffer. */
 extern bool
 ValueToStringBufferSlow(JSContext *cx, const Value &v, StringBuffer &sb);
 
 inline bool
--- a/js/src/vm/StringBuffer.cpp
+++ b/js/src/vm/StringBuffer.cpp
@@ -42,17 +42,18 @@ StringBuffer::extractWellSized()
 JSFixedString *
 StringBuffer::finishString()
 {
     JSContext *cx = context();
     if (cb.empty())
         return cx->runtime->atomState.emptyAtom;
 
     size_t length = cb.length();
-    JS_ASSERT(checkLength(length));
+    if (!JSString::validateLength(cx, length))
+        return NULL;
 
     JS_STATIC_ASSERT(JSShortString::MAX_SHORT_LENGTH < CharBuffer::InlineLength);
     if (JSShortString::lengthFits(length))
         return NewShortString(cx, cb.begin(), length);
 
     if (!cb.append('\0'))
         return NULL;
 
--- a/js/src/vm/StringBuffer.h
+++ b/js/src/vm/StringBuffer.h
@@ -29,17 +29,16 @@ namespace js {
  */
 class StringBuffer
 {
     /* cb's buffer is taken by the new string so use ContextAllocPolicy. */
     typedef Vector<jschar, 32, ContextAllocPolicy> CharBuffer;
 
     CharBuffer cb;
 
-    inline bool checkLength(size_t length);
     JSContext *context() const { return cb.allocPolicy().context(); }
     jschar *extractWellSized();
 
     StringBuffer(const StringBuffer &other) MOZ_DELETE;
     void operator=(const StringBuffer &other) MOZ_DELETE;
 
   public:
     explicit StringBuffer(JSContext *cx) : cb(cx) { }