AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Fix overflow in WriteQuoteJsonString and SlowQuoteJsonString

Browse Source 
R=yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/12326120

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13730 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit is contained in:
dcarney@chromium.org 2013-02-26 11:02:39 +00:00
parent 95c5e68714
commit 52a015b1af
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/runtime.cc
View File

@ -5248,7 +5248,7 @@ static MaybeObject* SlowQuoteJsonString(Isolate* isolate,
int quoted_length = kSpaceForQuotes;
while (read_cursor < end) {
Char c = *(read_cursor++);
if (sizeof(Char) > 1u && static_cast<unsigned>(c) >= kQuoteTableLength) {
if (static_cast<unsigned>(c) >= kQuoteTableLength) {
quoted_length++;
} else {
quoted_length += JsonQuoteLengths[static_cast<unsigned>(c)];
@ -5270,7 +5270,7 @@ static MaybeObject* SlowQuoteJsonString(Isolate* isolate,
read_cursor = characters.start();
while (read_cursor < end) {
Char c = *(read_cursor++);
if (sizeof(Char) > 1u && static_cast<unsigned>(c) >= kQuoteTableLength) {
if (static_cast<unsigned>(c) >= kQuoteTableLength) {
*(write_cursor++) = c;
} else {
int len = JsonQuoteLengths[static_cast<unsigned>(c)];
@ -5298,8 +5298,7 @@ static inline SinkChar* WriteQuoteJsonString(
*(write_cursor++) = '"';
while (read_cursor < end) {
SourceChar c = *(read_cursor++);
if (sizeof(SourceChar) > 1u &&
static_cast<unsigned>(c) >= kQuoteTableLength) {
if (static_cast<unsigned>(c) >= kQuoteTableLength) {
*(write_cursor++) = static_cast<SinkChar>(c);
} else {
int len = JsonQuoteLengths[static_cast<unsigned>(c)];

12
test/mjsunit/regress/regress-latin-1.js
View File

@ -76,3 +76,15 @@ assertTrue(/[\u039b-\u039d]/i.test('\u00b5'));
assertFalse(/[^\u039b-\u039d]/i.test('\u00b5'));
assertFalse(/[\u039b-\u039d]/.test('\u00b5'));
assertTrue(/[^\u039b-\u039d]/.test('\u00b5'));
// Check a regression in QuoteJsonSlow and WriteQuoteJsonString
for (var testNumber = 0; testNumber < 2; testNumber++) {
var testString = "\xdc";
var loopLength = testNumber == 0 ? 0 : 20;
for (var i = 0; i < loopLength; i++ ) {
testString += testString;
}
var stringified = JSON.stringify({"test" : testString}, null, 0);
var stringifiedExpected = '{"test":"' + testString + '"}';
assertEquals(stringifiedExpected, stringified);
}