StringTypeAdapter constructor is not properly enforcing String::MaxLe…

…ngth. https://bugs.webkit.org/show_bug.cgi?id=190392 <rdar://problem/45116210> Reviewed by Saam Barati. Previously, the StringTypeAdapter constructor for a UChar* string was summing the unsigned length of the source string without an overflow check. We now make that length a size_t which removes this issue, and assert that it's within String::MaxLength thereafter. Also made the StringTypeAdapter constructor for a LChar* string behave in an equivalent manner for consistency. In both cases, we'll crash in a RELEASE_ASSERT if the source string length exceeds String::MaxLength. * wtf/text/StringConcatenate.h: Canonical link: https://commits.webkit.org/205352@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236969 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Oct 9, 2018 · 7d9dd18 · 7d9dd18
1 parent 61ee001
commit 7d9dd18
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 4 deletions.
diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog
@@ -1,3 +1,22 @@
+2018-10-09  Mark Lam  <mark.lam@apple.com>
+
+        StringTypeAdapter constructor is not properly enforcing String::MaxLength.
+        https://bugs.webkit.org/show_bug.cgi?id=190392
+        <rdar://problem/45116210>
+
+        Reviewed by Saam Barati.
+
+        Previously, the StringTypeAdapter constructor for a UChar* string was summing the
+        unsigned length of the source string without an overflow check.  We now make that
+        length a size_t which removes this issue, and assert that it's within
+        String::MaxLength thereafter.
+
+        Also made the StringTypeAdapter constructor for a LChar* string behave in an
+        equivalent manner for consistency.  In both cases, we'll crash in a RELEASE_ASSERT
+        if the source string length exceeds String::MaxLength.
+
+        * wtf/text/StringConcatenate.h:
+
 2018-10-09  Mark Lam  <mark.lam@apple.com>
 
         Revert temporary asserts for debugging a mysterious ASAN bot crash.

diff --git a/Source/WTF/wtf/text/StringConcatenate.h b/Source/WTF/wtf/text/StringConcatenate.h
@@ -108,8 +108,10 @@ class StringTypeAdapter<const LChar*, void> {
 public:
     StringTypeAdapter(const LChar* characters)
         : m_characters(characters)
-        , m_length(strlen(reinterpret_cast<const char*>(characters)))
     {
+        size_t length = strlen(reinterpret_cast<const char*>(characters));
+        RELEASE_ASSERT(length <= String::MaxLength);
+        m_length = static_cast<unsigned>(length);
     }
 
     unsigned length() const { return m_length; }
@@ -138,12 +140,11 @@ class StringTypeAdapter<const UChar*, void> {
     StringTypeAdapter(const UChar* characters)
         : m_characters(characters)
     {
-        unsigned length = 0;
+        size_t length = 0;
         while (m_characters[length])
             ++length;
-
         RELEASE_ASSERT(length <= String::MaxLength);
-        m_length = length;
+        m_length = static_cast<unsigned>(length);
     }
 
     unsigned length() const { return m_length; }