Bug 303213 integer overflow in js

patch by mrbkap r=brendan a=brendan
2005-08-04 01:52:01 +00:00 · 2005-08-04 01:52:01 +00:00 · 50b3b5c24b
--- a/js/src/jsstr.c
+++ b/js/src/jsstr.c
@ -361,6 +361,12 @@ js_str_escape(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval
        } else {
            newlength += 5; /* The character will be encoded as %uXXXX */
        }
+
+        /* NB: this works because newlength can be incremented by at most 5. */ 
+        if (newlength < length) {
+            JS_ReportOutOfMemory(cx);
+            return JS_FALSE;
+        }
    }

    if (newlength >= ~(size_t)0 / sizeof(jschar)) {