2009-04-19 Sam Weinig <sam@webkit.org>

Reviewed by Dan Bernstein. Fix for <rdar://problem/5860954> Harden JSStringCreateWithCFString against malformed CFStringRefs. * API/JSStringRefCF.cpp: (JSStringCreateWithCFString): git-svn-id: svn://svn.chromium.org/blink/trunk@42659 bbb929c8-8fbe-4397-9dbb-9b2b20218538

2009-04-19 Sam Weinig <sam@webkit.org>
Reviewed by Dan Bernstein. Fix for <rdar://problem/5860954> Harden JSStringCreateWithCFString against malformed CFStringRefs. * API/JSStringRefCF.cpp: (JSStringCreateWithCFString): git-svn-id: svn://svn.chromium.org/blink/trunk@42659 bbb929c8-8fbe-4397-9dbb-9b2b20218538
6378da9c · weinig@apple.com · be917321 · 6378da9c · 6378da9c
Commit 6378da9c authored Apr 19, 2009 by weinig@apple.com
Showing with 12 additions and 0 deletions

third_party/WebKit/JavaScriptCore/API/JSStringRefCF.cpp third_party/WebKit/JavaScriptCore/API/JSStringRefCF.cpp +2 -0

third_party/WebKit/JavaScriptCore/ChangeLog third_party/WebKit/JavaScriptCore/ChangeLog +10 -0

No files found.
--- a/third_party/WebKit/JavaScriptCore/API/JSStringRefCF.cpp
+++ b/third_party/WebKit/JavaScriptCore/API/JSStringRefCF.cpp
@@ -38,6 +38,8 @@ JSStringRef JSStringCreateWithCFString(CFStringRef string)
 {
    JSC::initializeThreading();
    CFIndex length = CFStringGetLength(string);
+    if (length < 0)
+        CRASH():
    if (length) {
        OwnArrayPtr<UniChar> buffer(new UniChar[length]);
        CFStringGetCharacters(string, CFRangeMake(0, length), buffer.get());

--- a/third_party/WebKit/JavaScriptCore/ChangeLog
+++ b/third_party/WebKit/JavaScriptCore/ChangeLog
+2009-04-19  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Dan Bernstein.
+
+        Fix for <rdar://problem/5860954>
+        Harden JSStringCreateWithCFString against malformed CFStringRefs.
+
+        * API/JSStringRefCF.cpp:
+        (JSStringCreateWithCFString):
+
 2009-04-19  David Kilzer  <ddkilzer@apple.com>

        Make FEATURE_DEFINES completely dynamic