Bug 1275867 - Null-terminate the buffer passed from ParseFloatLiteral to js_strtod_harder. r?bbouvier
It was also overallocated in the case of negative numbers, so fixed that
at the same time.
--- a/js/src/asmjs/WasmTextToBinary.cpp
+++ b/js/src/asmjs/WasmTextToBinary.cpp
@@ -1725,21 +1725,22 @@ ParseFloatLiteral(WasmParseContext& c, W
c.ts.generateError(token, c.error);
return false;
}
break;
case WasmToken::DecNumber: {
// Call into JS' strtod. Tokenization has already required that the
// string is well-behaved.
LifoAlloc::Mark mark = c.lifo.mark();
- char* buffer = c.lifo.newArray<char>(end - begin + 1);
+ char* buffer = c.lifo.newArray<char>(end - cur + 1);
if (!buffer)
return false;
for (ptrdiff_t i = 0; i < end - cur; ++i)
buffer[i] = char(cur[i]);
+ buffer[end - cur] = '\0';
char* strtod_end;
int err;
Float d = (Float)js_strtod_harder(c.dtoaState, buffer, &strtod_end, &err);
if (err != 0 || strtod_end == buffer) {
c.lifo.release(mark);
c.ts.generateError(token, c.error);
return false;
}