Bug 555462 - Back out changeset a0f0fde99844 for causing a buffer overrun.
This commit is contained in:
Henri Sivonen
@@ -191,6 +191,38 @@ nsHtml5Tokenizer::emptyAttributes()
|
||||
return nsHtml5HtmlAttributes::EMPTY_ATTRIBUTES;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::clearStrBufAndAppendCurrentC(PRUnichar c)
|
||||
{
|
||||
strBuf[0] = c;
|
||||
strBufLen = 1;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::clearStrBufAndAppendForceWrite(PRUnichar c)
|
||||
{
|
||||
strBuf[0] = c;
|
||||
strBufLen = 1;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::clearStrBufForNextState()
|
||||
{
|
||||
strBufLen = 0;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::appendStrBuf(PRUnichar c)
|
||||
{
|
||||
if (strBufLen == strBuf.length) {
|
||||
jArray<PRUnichar,PRInt32> newBuf = jArray<PRUnichar,PRInt32>(strBuf.length + NS_HTML5TOKENIZER_BUFFER_GROW_BY);
|
||||
nsHtml5ArrayCopy::arraycopy(strBuf, newBuf, strBuf.length);
|
||||
strBuf.release();
|
||||
strBuf = newBuf;
|
||||
}
|
||||
strBuf[strBufLen++] = c;
|
||||
}
|
||||
|
||||
nsString*
|
||||
nsHtml5Tokenizer::strBufToString()
|
||||
{
|
||||
@@ -211,6 +243,44 @@ nsHtml5Tokenizer::emitStrBuf()
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::clearLongStrBufForNextState()
|
||||
{
|
||||
longStrBufLen = 0;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::clearLongStrBuf()
|
||||
{
|
||||
longStrBufLen = 0;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::clearLongStrBufAndAppendCurrentC(PRUnichar c)
|
||||
{
|
||||
longStrBuf[0] = c;
|
||||
longStrBufLen = 1;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::clearLongStrBufAndAppendToComment(PRUnichar c)
|
||||
{
|
||||
longStrBuf[0] = c;
|
||||
longStrBufLen = 1;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::appendLongStrBuf(PRUnichar c)
|
||||
{
|
||||
if (longStrBufLen == longStrBuf.length) {
|
||||
jArray<PRUnichar,PRInt32> newBuf = jArray<PRUnichar,PRInt32>(longStrBufLen + (longStrBufLen >> 1));
|
||||
nsHtml5ArrayCopy::arraycopy(longStrBuf, newBuf, longStrBuf.length);
|
||||
longStrBuf.release();
|
||||
longStrBuf = newBuf;
|
||||
}
|
||||
longStrBuf[longStrBufLen++] = c;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::appendSecondHyphenToBogusComment()
|
||||
{
|
||||
@@ -224,6 +294,32 @@ nsHtml5Tokenizer::adjustDoubleHyphenAndAppendToLongStrBufAndErr(PRUnichar c)
|
||||
appendLongStrBuf(c);
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::appendLongStrBuf(jArray<PRUnichar,PRInt32> buffer, PRInt32 offset, PRInt32 length)
|
||||
{
|
||||
PRInt32 reqLen = longStrBufLen + length;
|
||||
if (longStrBuf.length < reqLen) {
|
||||
jArray<PRUnichar,PRInt32> newBuf = jArray<PRUnichar,PRInt32>(reqLen + (reqLen >> 1));
|
||||
nsHtml5ArrayCopy::arraycopy(longStrBuf, newBuf, longStrBuf.length);
|
||||
longStrBuf.release();
|
||||
longStrBuf = newBuf;
|
||||
}
|
||||
nsHtml5ArrayCopy::arraycopy(buffer, offset, longStrBuf, longStrBufLen, length);
|
||||
longStrBufLen = reqLen;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::appendLongStrBuf(jArray<PRUnichar,PRInt32> arr)
|
||||
{
|
||||
appendLongStrBuf(arr, 0, arr.length);
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::appendStrBufToLongStrBuf()
|
||||
{
|
||||
appendLongStrBuf(strBuf, 0, strBufLen);
|
||||
}
|
||||
|
||||
nsString*
|
||||
nsHtml5Tokenizer::longStrBufToString()
|
||||
{
|
||||
@@ -246,6 +342,12 @@ nsHtml5Tokenizer::flushChars(PRUnichar* buf, PRInt32 pos)
|
||||
cstart = 0x7fffffff;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::resetAttributes()
|
||||
{
|
||||
attributes = nsnull;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::strBufToElementNameString()
|
||||
{
|
||||
@@ -327,7 +429,6 @@ nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer* buffer)
|
||||
shouldSuspend = PR_FALSE;
|
||||
lastCR = PR_FALSE;
|
||||
PRInt32 start = buffer->getStart();
|
||||
PRInt32 end = buffer->getEnd();
|
||||
PRInt32 pos = start - 1;
|
||||
switch(state) {
|
||||
case NS_HTML5TOKENIZER_DATA:
|
||||
@@ -355,9 +456,8 @@ nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer* buffer)
|
||||
break;
|
||||
}
|
||||
}
|
||||
ensureBufferSpace(end - start);
|
||||
pos = stateLoop(state, c, pos, buffer->getBuffer(), PR_FALSE, returnState, end);
|
||||
if (pos == end) {
|
||||
pos = stateLoop(state, c, pos, buffer->getBuffer(), PR_FALSE, returnState, buffer->getEnd());
|
||||
if (pos == buffer->getEnd()) {
|
||||
buffer->setStart(pos);
|
||||
} else {
|
||||
buffer->setStart(pos + 1);
|
||||
@@ -365,26 +465,6 @@ nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer* buffer)
|
||||
return lastCR;
|
||||
}
|
||||
|
||||
void
|
||||
nsHtml5Tokenizer::ensureBufferSpace(PRInt32 addedLength)
|
||||
{
|
||||
PRInt32 newlongStrBufCapacity = longStrBufLen + addedLength;
|
||||
if (newlongStrBufCapacity > longStrBuf.length) {
|
||||
jArray<PRUnichar,PRInt32> newBuf = jArray<PRUnichar,PRInt32>(newlongStrBufCapacity);
|
||||
nsHtml5ArrayCopy::arraycopy(longStrBuf, newBuf, longStrBufLen);
|
||||
longStrBuf.release();
|
||||
longStrBuf = newBuf;
|
||||
}
|
||||
PRInt32 newStrBufCapacity = strBufLen + addedLength;
|
||||
if (newStrBufCapacity > strBuf.length) {
|
||||
jArray<PRUnichar,PRInt32> newBuf = jArray<PRUnichar,PRInt32>(newStrBufCapacity);
|
||||
nsHtml5ArrayCopy::arraycopy(strBuf, newBuf, strBufLen);
|
||||
strBuf.release();
|
||||
strBuf = newBuf;
|
||||
}
|
||||
tokenHandler->ensureBufferSpace(addedLength);
|
||||
}
|
||||
|
||||
PRInt32
|
||||
nsHtml5Tokenizer::stateLoop(PRInt32 state, PRUnichar c, PRInt32 pos, PRUnichar* buf, PRBool reconsume, PRInt32 returnState, PRInt32 endPos)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user