diff options
Diffstat (limited to 'Source/JavaScriptCore/runtime/Operations.h')
| -rw-r--r-- | Source/JavaScriptCore/runtime/Operations.h | 33 |
1 files changed, 14 insertions, 19 deletions
diff --git a/Source/JavaScriptCore/runtime/Operations.h b/Source/JavaScriptCore/runtime/Operations.h index afac13000..e628662e0 100644 --- a/Source/JavaScriptCore/runtime/Operations.h +++ b/Source/JavaScriptCore/runtime/Operations.h @@ -42,13 +42,13 @@ ALWAYS_INLINE JSValue jsString(ExecState* exec, JSString* s1, JSString* s2) { VM& vm = exec->vm(); - unsigned length1 = s1->length(); + int32_t length1 = s1->length(); if (!length1) return s2; - unsigned length2 = s2->length(); + int32_t length2 = s2->length(); if (!length2) return s1; - if ((length1 + length2) < length1) + if ((length1 + length2) < 0) return throwOutOfMemoryError(exec); return JSRopeString::create(vm, s1, s2); @@ -58,9 +58,13 @@ ALWAYS_INLINE JSValue jsString(ExecState* exec, const String& u1, const String& { VM* vm = &exec->vm(); - unsigned length1 = u1.length(); - unsigned length2 = u2.length(); - unsigned length3 = u3.length(); + int32_t length1 = u1.length(); + int32_t length2 = u2.length(); + int32_t length3 = u3.length(); + + if (length1 < 0 || length2 < 0 || length3 < 0) + return throwOutOfMemoryError(exec); + if (!length1) return jsString(exec, jsString(vm, u2), jsString(vm, u3)); if (!length2) @@ -68,9 +72,9 @@ ALWAYS_INLINE JSValue jsString(ExecState* exec, const String& u1, const String& if (!length3) return jsString(exec, jsString(vm, u1), jsString(vm, u2)); - if ((length1 + length2) < length1) + if ((length1 + length2) < 0) return throwOutOfMemoryError(exec); - if ((length1 + length2 + length3) < length3) + if ((length1 + length2 + length3) < 0) return throwOutOfMemoryError(exec); return JSRopeString::create(exec->vm(), jsString(vm, u1), jsString(vm, u2), jsString(vm, u3)); @@ -81,15 +85,11 @@ ALWAYS_INLINE JSValue jsString(ExecState* exec, Register* strings, unsigned coun VM* vm = &exec->vm(); JSRopeString::RopeBuilder ropeBuilder(*vm); - unsigned oldLength = 0; - for (unsigned i = 0; i < count; ++i) { JSValue v = strings[i].jsValue(); - ropeBuilder.append(v.toString(exec)); - if (ropeBuilder.length() < oldLength) // True for overflow + if (!ropeBuilder.append(v.toString(exec))) return throwOutOfMemoryError(exec); - oldLength = ropeBuilder.length(); } return ropeBuilder.release(); @@ -101,15 +101,10 @@ ALWAYS_INLINE JSValue jsStringFromArguments(ExecState* exec, JSValue thisValue) JSRopeString::RopeBuilder ropeBuilder(*vm); ropeBuilder.append(thisValue.toString(exec)); - unsigned oldLength = 0; - for (unsigned i = 0; i < exec->argumentCount(); ++i) { JSValue v = exec->argument(i); - ropeBuilder.append(v.toString(exec)); - - if (ropeBuilder.length() < oldLength) // True for overflow + if (!ropeBuilder.append(v.toString(exec))) return throwOutOfMemoryError(exec); - oldLength = ropeBuilder.length(); } return ropeBuilder.release(); |