[webkit-changes] [241550] trunk/Source/JavaScriptCore

Thu, 14 Feb 2019 09:37:59 -0800

Title: [241550] trunk/Source/_javascript_Core
Revision
241550
Author
tzaga...@apple.com
Date
2019-02-14 09:37:23 -0800 (Thu, 14 Feb 2019)

Log Message

CachedBitVector's size must be converted from bits to bytes
https://bugs.webkit.org/show_bug.cgi?id=194441

Reviewed by Saam Barati.

CachedBitVector used its size in bits for memcpy. That didn't cause any
issues when encoding, since the size in bits was also used in the allocation,
but would overflow the actual BitVector buffer when decoding.

* runtime/CachedTypes.cpp:
(JSC::CachedBitVector::encode):
(JSC::CachedBitVector::decode const):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (241549 => 241550)


--- trunk/Source/_javascript_Core/ChangeLog	2019-02-14 17:27:19 UTC (rev 241549)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-02-14 17:37:23 UTC (rev 241550)
@@ -1,3 +1,18 @@
+2019-02-14  Tadeu Zagallo  <tzaga...@apple.com>
+
+        CachedBitVector's size must be converted from bits to bytes
+        https://bugs.webkit.org/show_bug.cgi?id=194441
+
+        Reviewed by Saam Barati.
+
+        CachedBitVector used its size in bits for memcpy. That didn't cause any
+        issues when encoding, since the size in bits was also used in the allocation,
+        but would overflow the actual BitVector buffer when decoding.
+
+        * runtime/CachedTypes.cpp:
+        (JSC::CachedBitVector::encode):
+        (JSC::CachedBitVector::decode const):
+
 2019-02-13  Brian Burg  <bb...@apple.com>
 
         Web Inspector: don't include accessibility role in DOM.Node object payloads

Modified: trunk/Source/_javascript_Core/runtime/CachedTypes.cpp (241549 => 241550)


--- trunk/Source/_javascript_Core/runtime/CachedTypes.cpp	2019-02-14 17:27:19 UTC (rev 241549)
+++ trunk/Source/_javascript_Core/runtime/CachedTypes.cpp	2019-02-14 17:37:23 UTC (rev 241550)
@@ -754,23 +754,25 @@
 public:
     void encode(Encoder& encoder, const BitVector& bitVector)
     {
-        m_size = bitVector.size();
-        if (!m_size)
+        m_numBits = bitVector.size();
+        if (!m_numBits)
             return;
-        uint8_t* buffer = this->allocate(encoder, m_size);
-        memcpy(buffer, bitVector.bits(), m_size);
+        size_t sizeInBytes = BitVector::byteCount(m_numBits);
+        uint8_t* buffer = this->allocate(encoder, sizeInBytes);
+        memcpy(buffer, bitVector.bits(), sizeInBytes);
     }
 
     void decode(Decoder&, BitVector& bitVector) const
     {
-        if (!m_size)
+        if (!m_numBits)
             return;
-        bitVector.ensureSize(m_size);
-        memcpy(bitVector.bits(), this->buffer(), m_size);
+        bitVector.ensureSize(m_numBits);
+        size_t sizeInBytes = BitVector::byteCount(m_numBits);
+        memcpy(bitVector.bits(), this->buffer(), sizeInBytes);
     }
 
 private:
-    unsigned m_size;
+    size_t m_numBits;
 };
 
 template<typename T, typename HashArg = typename DefaultHash<T>::Hash>

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to