From b662a8024453c2f29eeadb23a3ee23610a5eaa93 Mon Sep 17 00:00:00 2001
From: Jeff Walden <jwalden@mit.edu>
Date: Thu, 3 Mar 2011 09:37:18 -0800
Subject: [PATCH] Bug 637859. Anchor a string for a bit. r=cdleary, a=bsmedberg

---
 js/src/jsregexp.cpp | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/js/src/jsregexp.cpp b/js/src/jsregexp.cpp
index d9cbc059d47..cd2d1fa3515 100644
--- a/js/src/jsregexp.cpp
+++ b/js/src/jsregexp.cpp
@@ -640,6 +640,7 @@ EscapeNakedForwardSlashes(JSContext *cx, JSString *unescaped)
     const jschar *oldChars = unescaped->getChars(cx);
     if (!oldChars)
         return NULL;
+    JS::Anchor<JSString *> anchor(unescaped);
 
     js::Vector<jschar, 128> newChars(cx);
     for (const jschar *it = oldChars; it < oldChars + oldLen; ++it) {
@@ -647,13 +648,14 @@ EscapeNakedForwardSlashes(JSContext *cx, JSString *unescaped)
             if (!newChars.length()) {
                 if (!newChars.reserve(oldLen + 1))
                     return NULL;
-                newChars.append(oldChars, size_t(it - oldChars));
+                JS_ALWAYS_TRUE(newChars.append(oldChars, size_t(it - oldChars)));
             }
-            newChars.append('\\');
+            if (!newChars.append('\\'))
+                return NULL;
         }
 
-        if (newChars.length())
-            newChars.append(*it);
+        if (!newChars.empty() && !newChars.append(*it))
+            return NULL;
     }
 
     if (newChars.length()) {