[MERGE chakra-core#882] Fixing the static warning by adding sufficient validation for the buffer.

akroshg · akroshg · commit ce368e77bed4 · 2016-04-28T17:01:47.000-07:00
Merge pull request chakra-core#882 from akroshg:warn
diff --git a/lib/Runtime/Library/JavascriptString.cpp b/lib/Runtime/Library/JavascriptString.cpp
@@ -2399,7 +2399,7 @@ namespace Js
         Assert(count > 0);
 
         const char16* currentRawString = currentString->GetString();
-        int currentLength = currentString->GetLength();
+        charcount_t currentLength = currentString->GetLength();
 
         charcount_t finalBufferCount = UInt32Math::Add(UInt32Math::Mul(count, currentLength), 1);
         char16* buffer = RecyclerNewArrayLeaf(scriptContext->GetRecycler(), char16, finalBufferCount);
@@ -2413,6 +2413,7 @@ namespace Js
         {
             char16* bufferDst = buffer;
             size_t bufferDstSize = finalBufferCount;
+            AnalysisAssert(bufferDstSize > currentLength);
 
             for (charcount_t i = 0; i < count; i += 1)
             {

Original file line number	Diff line number	Diff line change
`@@ -2399,7 +2399,7 @@ namespace Js`
`2399`	`2399`	`Assert(count > 0);`
`2400`	`2400`
`2401`	`2401`	`const char16* currentRawString = currentString->GetString();`
`2402`		`- int currentLength = currentString->GetLength();`
	`2402`	`+ charcount_t currentLength = currentString->GetLength();`
`2403`	`2403`
`2404`	`2404`	`charcount_t finalBufferCount = UInt32Math::Add(UInt32Math::Mul(count, currentLength), 1);`
`2405`	`2405`	`char16* buffer = RecyclerNewArrayLeaf(scriptContext->GetRecycler(), char16, finalBufferCount);`
`@@ -2413,6 +2413,7 @@ namespace Js`
`2413`	`2413`	`{`
`2414`	`2414`	`char16* bufferDst = buffer;`
`2415`	`2415`	`size_t bufferDstSize = finalBufferCount;`
	`2416`	`+ AnalysisAssert(bufferDstSize > currentLength);`
`2416`	`2417`
`2417`	`2418`	`for (charcount_t i = 0; i < count; i += 1)`
`2418`	`2419`	`{`