-
dbates@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=102956 <rdar://problem/12738012> Reviewed by Oliver Hunt. Source/JavaScriptCore: Fix an issue where we didn't check for overflow when computing the length of the result of String.replace() with a large replacement string. * runtime/StringPrototype.cpp: (JSC::jsSpliceSubstringsWithSeparators): LayoutTests: Add test to ensure that we handle string replacement with a large replacement string. * fast/js/script-tests/string-replacement-outofmemory.js: Added. (createStringWithRepeatedChar): * fast/js/string-replacement-outofmemory-expected.txt: Added. * fast/js/string-replacement-outofmemory.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@135794 268f45cc-cd09-0410-ab3c-d52691b4dbfc
b5b94f13