Skip to content

V
V8
Commit 69314b42 authored by Joshua Litt's avatar Joshua Litt Committed by Commit Bot
Browse files
Options

[replaceAll] Fix replaceAll overflow with StringCompareSequence. 

Fixes a potential overflow when using the runtime's StringCompareSequence
by checking the string length first.

Bug: chromium:1032906
Change-Id: I7cb94473ae8331dd2ecf1fa98034829bebf8a9ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1973936
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65558}
parent 75a26837
Show whitespace changes
Inline Side-by-side
Showing with 9 additions and 4 deletions
src/builtins/string-replaceall.tq
View file @ 69314b42
...@@ -40,15 +40,16 @@ namespace string { ...@@ -40,15 +40,16 @@ namespace string {
macro AbstractStringIndexOf(implicit context: Context)( macro AbstractStringIndexOf(implicit context: Context)(
string: String, searchString: String, fromIndex: Smi): Smi { string: String, searchString: String, fromIndex: Smi): Smi {
// Special case the empty string. // Special case the empty string.
if (searchString.length_intptr == 0 && const searchStringLength = searchString.length_intptr;
SmiUntag(fromIndex) <= string.length_intptr) { const stringLength = string.length_intptr;
if (searchStringLength == 0 && SmiUntag(fromIndex) <= stringLength) {
return fromIndex; return fromIndex;
} }
// Don't bother to search if the searchString would go past the end // Don't bother to search if the searchString would go past the end
// of the string. This is actually necessary because of runtime // of the string. This is actually necessary because of runtime
// checks. // checks.
if (fromIndex + searchString.length_smi > string.length_smi) { if (SmiUntag(fromIndex) + searchStringLength > stringLength) {
return -1; return -1;
} }
...@@ -57,7 +58,8 @@ namespace string { ...@@ -57,7 +58,8 @@ namespace string {
otherwise Slow; otherwise Slow;
} }
label Slow { label Slow {
for (let i: intptr = SmiUntag(fromIndex); i < string.length_intptr; i++) { for (let i: intptr = SmiUntag(fromIndex);
i + searchStringLength <= stringLength; i++) {
if (StringCompareSequence( if (StringCompareSequence(
context, string, searchString, Convert<Number>(SmiTag(i))) == context, string, searchString, Convert<Number>(SmiTag(i))) ==
True) { True) {
......
test/mjsunit/harmony/string-replaceAll.js
View file @ 69314b42
...@@ -104,3 +104,6 @@ assertEquals('a', 'a'.replaceAll(%ConstructConsString('abcdefghijklmn', ...@@ -104,3 +104,6 @@ assertEquals('a', 'a'.replaceAll(%ConstructConsString('abcdefghijklmn',
'def'), 'b')); 'def'), 'b'));
assertEquals('b', 'abcdefghijklmndef'.replaceAll( assertEquals('b', 'abcdefghijklmndef'.replaceAll(
%ConstructConsString('abcdefghijklmn', 'def'), 'b')); %ConstructConsString('abcdefghijklmn', 'def'), 'b'));
assertEquals('aaaaaaaaaaaaaaaaaa', 'aaaaaaaaaaaaaaaaaa'.replaceAll(
%ConstructConsString('abcdefghijklmn', 'def'), 'b'));
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment