[webkit-changes] [241668] releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore

Mon, 18 Feb 2019 08:13:12 -0800

Title: [241668] releases/WebKitGTK/webkit-2.24/Source/_javascript_Core
Revision
241668
Author
carlo...@webkit.org
Date
2019-02-18 08:12:26 -0800 (Mon, 18 Feb 2019)

Log Message

Merge r241550 - CachedBitVector's size must be converted from bits to bytes
https://bugs.webkit.org/show_bug.cgi?id=194441

Reviewed by Saam Barati.

CachedBitVector used its size in bits for memcpy. That didn't cause any
issues when encoding, since the size in bits was also used in the allocation,
but would overflow the actual BitVector buffer when decoding.

* runtime/CachedTypes.cpp:
(JSC::CachedBitVector::encode):
(JSC::CachedBitVector::decode const):

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog (241667 => 241668)


--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-02-18 16:12:23 UTC (rev 241667)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-02-18 16:12:26 UTC (rev 241668)
@@ -1,3 +1,18 @@
+2019-02-14  Tadeu Zagallo  <tzaga...@apple.com>
+
+        CachedBitVector's size must be converted from bits to bytes
+        https://bugs.webkit.org/show_bug.cgi?id=194441
+
+        Reviewed by Saam Barati.
+
+        CachedBitVector used its size in bits for memcpy. That didn't cause any
+        issues when encoding, since the size in bits was also used in the allocation,
+        but would overflow the actual BitVector buffer when decoding.
+
+        * runtime/CachedTypes.cpp:
+        (JSC::CachedBitVector::encode):
+        (JSC::CachedBitVector::decode const):
+
 2019-02-13  Brian Burg  <bb...@apple.com>
 
         Web Inspector: don't include accessibility role in DOM.Node object payloads

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/CachedTypes.cpp (241667 => 241668)


--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/CachedTypes.cpp	2019-02-18 16:12:23 UTC (rev 241667)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/CachedTypes.cpp	2019-02-18 16:12:26 UTC (rev 241668)
@@ -754,23 +754,25 @@
 public:
     void encode(Encoder& encoder, const BitVector& bitVector)
     {
-        m_size = bitVector.size();
-        if (!m_size)
+        m_numBits = bitVector.size();
+        if (!m_numBits)
             return;
-        uint8_t* buffer = this->allocate(encoder, m_size);
-        memcpy(buffer, bitVector.bits(), m_size);
+        size_t sizeInBytes = BitVector::byteCount(m_numBits);
+        uint8_t* buffer = this->allocate(encoder, sizeInBytes);
+        memcpy(buffer, bitVector.bits(), sizeInBytes);
     }
 
     void decode(Decoder&, BitVector& bitVector) const
     {
-        if (!m_size)
+        if (!m_numBits)
             return;
-        bitVector.ensureSize(m_size);
-        memcpy(bitVector.bits(), this->buffer(), m_size);
+        bitVector.ensureSize(m_numBits);
+        size_t sizeInBytes = BitVector::byteCount(m_numBits);
+        memcpy(bitVector.bits(), this->buffer(), sizeInBytes);
     }
 
 private:
-    unsigned m_size;
+    size_t m_numBits;
 };
 
 template<typename T, typename HashArg = typename DefaultHash<T>::Hash>

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to