2009-04-19 Sam Weinig <sam@webkit.org>

Reviewed by Darin Adler. Better fix for JSStringCreateWithCFString hardening. * API/JSStringRefCF.cpp: (JSStringCreateWithCFString): git-svn-id: svn://svn.chromium.org/blink/trunk@42662 bbb929c8-8fbe-4397-9dbb-9b2b20218538

2009-04-19 Sam Weinig <sam@webkit.org>
Reviewed by Darin Adler. Better fix for JSStringCreateWithCFString hardening. * API/JSStringRefCF.cpp: (JSStringCreateWithCFString): git-svn-id: svn://svn.chromium.org/blink/trunk@42662 bbb929c8-8fbe-4397-9dbb-9b2b20218538
16ccab9f · weinig@apple.com · 2ff8a023 · 16ccab9f · 16ccab9f
Commit 16ccab9f authored Apr 19, 2009 by weinig@apple.com
Showing with 13 additions and 3 deletions

third_party/WebKit/JavaScriptCore/API/JSStringRefCF.cpp third_party/WebKit/JavaScriptCore/API/JSStringRefCF.cpp +4 -3

third_party/WebKit/JavaScriptCore/ChangeLog third_party/WebKit/JavaScriptCore/ChangeLog +9 -0

No files found.
--- a/third_party/WebKit/JavaScriptCore/API/JSStringRefCF.cpp
+++ b/third_party/WebKit/JavaScriptCore/API/JSStringRefCF.cpp
@@ -37,9 +37,10 @@
 JSStringRef JSStringCreateWithCFString(CFStringRef string)
 {
    JSC::initializeThreading();
-    CFIndex length = CFStringGetLength(string);
-    if (length < 0)
-        CRASH():
+
+    // We cannot use CFIndex here since CFStringGetLength can return values larger than
+    // it can hold.  (<rdar://problem/6806478>)
+    size_t length = CFStringGetLength(string);
    if (length) {
        OwnArrayPtr<UniChar> buffer(new UniChar[length]);
        CFStringGetCharacters(string, CFRangeMake(0, length), buffer.get());

--- a/third_party/WebKit/JavaScriptCore/ChangeLog
+++ b/third_party/WebKit/JavaScriptCore/ChangeLog
+2009-04-19  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        Better fix for JSStringCreateWithCFString hardening.
+
+        * API/JSStringRefCF.cpp:
+        (JSStringCreateWithCFString):
+
 2009-04-19  Sam Weinig  <sam@webkit.org>

        Reviewed by Dan Bernstein.