2011-06-08 Mikołaj Małecki <m.malecki@samsung.com>
authorloislo@chromium.org <loislo@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 8 Jun 2011 18:24:06 +0000 (18:24 +0000)
committerloislo@chromium.org <loislo@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 8 Jun 2011 18:24:06 +0000 (18:24 +0000)
        Reviewed by Pavel Feldman.

        Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
        https://bugs.webkit.org/show_bug.cgi?id=52791

        No new tests. The problem can be reproduced by trying to create InspectorValue
        from 1.0e-100 and call ->toJSONString() on this.

        * inspector/InspectorValues.cpp:
        (WebCore::InspectorBasicValue::writeJSON):
        Added checking the predicted buffer size and choosing exponential format, or
        eventually "NaN" if the buffer is too small for decimal format.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@88365 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/JavaScriptCore.exp
Source/WebCore/ChangeLog
Source/WebCore/inspector/InspectorValues.cpp

index 2c94c1bdaf1118737c2395cf9faa45c5f0fff775..fa0041da10b127e33b4136d71aa8f5b0ac987020 100644 (file)
@@ -572,7 +572,9 @@ __ZNK3JSC9HashTable11createTableEPNS_12JSGlobalDataE
 __ZNK3JSC9HashTable11deleteTableEv
 __ZNK3WTF12AtomicString5lowerEv
 __ZNK3WTF13DecimalNumber15toStringDecimalEPtj
+__ZNK3WTF13DecimalNumber19toStringExponentialEPtj
 __ZNK3WTF13DecimalNumber28bufferLengthForStringDecimalEv
+__ZNK3WTF13DecimalNumber32bufferLengthForStringExponentialEv
 __ZNK3WTF6String11toIntStrictEPbi
 __ZNK3WTF6String12toUIntStrictEPbi
 __ZNK3WTF6String13toInt64StrictEPbi
index 69b1b63209fdb570f5e15746d51d14e1cd9bf173..6d7005cbf146fd1aa6808c6748f50ec716897e75 100644 (file)
@@ -1,3 +1,18 @@
+2011-06-08  Mikołaj Małecki  <m.malecki@samsung.com>
+
+        Reviewed by Pavel Feldman.
+
+        Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
+        https://bugs.webkit.org/show_bug.cgi?id=52791
+
+        No new tests. The problem can be reproduced by trying to create InspectorValue
+        from 1.0e-100 and call ->toJSONString() on this.
+
+        * inspector/InspectorValues.cpp:
+        (WebCore::InspectorBasicValue::writeJSON):
+        Added checking the predicted buffer size and choosing exponential format, or
+        eventually "NaN" if the buffer is too small for decimal format.
+
 2011-06-08  Nico Weber  <thakis@chromium.org>
 
         Reviewed by Darin Adler.
index 09d1258bf9ecd43bd317850e62fc7ed056b5ddff..c80de510d039117c8e4a1071ef9cc23a65f8e0d3 100644 (file)
@@ -620,7 +620,18 @@ void InspectorBasicValue::writeJSON(Vector<UChar>* output) const
             output->append(falseString, 5);
     } else if (type() == TypeNumber) {
         NumberToStringBuffer buffer;
-        unsigned length = DecimalNumber(m_doubleValue).toStringDecimal(buffer, WTF::NumberToStringBufferLength);
+        DecimalNumber decimal = m_doubleValue;
+        unsigned length = 0;
+        if (decimal.bufferLengthForStringDecimal() > WTF::NumberToStringBufferLength) {
+            // Not enough room for decimal. Use exponential format.
+            if (decimal.bufferLengthForStringExponential() > WTF::NumberToStringBufferLength) {
+                // Fallback for an abnormal case if it's too little even for exponential.
+                output->append("NaN", 3);
+                return;
+            }
+            length = decimal.toStringExponential(buffer, WTF::NumberToStringBufferLength);
+        } else
+            length = decimal.toStringDecimal(buffer, WTF::NumberToStringBufferLength);
         output->append(buffer, length);
     }
 }