Bug 1275867 - Null-terminate the buffer passed from ParseFloatLiteral to js_strtod_harder. r=bbouvier
authorMike Hommey <mh+mozilla@glandium.org>
Thu, 26 May 2016 21:25:16 +0900
changeset 338185 5935b7839e2b62ca5e7112efce0b020c6bc98825
parent 338184 8585521af418b7ad5b65e908692b9951d59375b2
child 338186 a021e3facc2a0828c2a1f7bcc386c10f10570036
push id6249
push userjlund@mozilla.com
push dateMon, 01 Aug 2016 13:59:36 +0000
treeherdermozilla-beta@bad9d4f5bf7e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbbouvier
bugs1275867
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1275867 - Null-terminate the buffer passed from ParseFloatLiteral to js_strtod_harder. r=bbouvier It was also overallocated in the case of negative numbers, so fixed that at the same time.
js/src/asmjs/WasmTextToBinary.cpp
--- a/js/src/asmjs/WasmTextToBinary.cpp
+++ b/js/src/asmjs/WasmTextToBinary.cpp
@@ -1725,21 +1725,22 @@ ParseFloatLiteral(WasmParseContext& c, W
             c.ts.generateError(token, c.error);
             return false;
         }
         break;
       case WasmToken::DecNumber: {
         // Call into JS' strtod. Tokenization has already required that the
         // string is well-behaved.
         LifoAlloc::Mark mark = c.lifo.mark();
-        char* buffer = c.lifo.newArray<char>(end - begin + 1);
+        char* buffer = c.lifo.newArray<char>(end - cur + 1);
         if (!buffer)
             return false;
         for (ptrdiff_t i = 0; i < end - cur; ++i)
             buffer[i] = char(cur[i]);
+        buffer[end - cur] = '\0';
         char* strtod_end;
         int err;
         Float d = (Float)js_strtod_harder(c.dtoaState, buffer, &strtod_end, &err);
         if (err != 0 || strtod_end == buffer) {
             c.lifo.release(mark);
             c.ts.generateError(token, c.error);
             return false;
         }