WebKit Bugzilla
Attachment 357678 Details for
Bug 192853
: WTF::String and StringImpl overflow MaxLength
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-192853-20181219160955.patch (text/plain), 3.72 KB, created by
Tadeu Zagallo
on 2018-12-19 07:11:00 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Tadeu Zagallo
Created:
2018-12-19 07:11:00 PST
Size:
3.72 KB
patch
obsolete
>Subversion Revision: 239373 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 34dab9994072cd29a08ded23f21f17ba6a6dd805..6d83139f222faf29c4beb60d2f4c8087640a757d 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,18 @@ >+2018-12-19 Tadeu Zagallo <tzagallo@apple.com> >+ >+ stringProtoFuncRepeatCharacter overflow is not caught with 16-bit character times 2**30 >+ https://bugs.webkit.org/show_bug.cgi?id=192853 >+ <rdar://problem/45726906> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ stringProtoFuncRepeatCharacter was checking that the repeat count was >+ smaller than JSString::MaxLength, but it did not take into account >+ whether the character to be repeated was 8- or 16-bit. >+ >+ * runtime/StringPrototype.cpp: >+ (JSC::stringProtoFuncRepeatCharacter): >+ > 2018-12-18 Ross Kirsling <ross.kirsling@sony.com> > > Error message for `-x ** y` contains a typo. >diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp >index 240ba5ef549a623c4d4fd256d09bc0ccc102c85c..c57579bd3ac5483fe70963626072022c36851ee2 100644 >--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp >+++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp >@@ -863,21 +863,25 @@ EncodedJSValue JSC_HOST_CALL stringProtoFuncRepeatCharacter(ExecState* exec) > JSString* string = asString(exec->uncheckedArgument(0)); > ASSERT(string->length() == 1); > >+ auto viewWithString = string->viewWithUnderlyingString(exec); >+ StringView view = viewWithString.view; >+ ASSERT(view.length() == 1); >+ scope.assertNoException(); >+ UChar character = view[0]; >+ > JSValue repeatCountValue = exec->uncheckedArgument(1); > RELEASE_ASSERT(repeatCountValue.isNumber()); > int32_t repeatCount; > double value = repeatCountValue.asNumber(); >- if (value > JSString::MaxLength) >+ double length = value; >+ if (character & ~0xff) >+ length *= 2; >+ if (length > JSString::MaxLength) > return JSValue::encode(throwOutOfMemoryError(exec, scope)); > repeatCount = static_cast<int32_t>(value); > ASSERT(repeatCount >= 0); > ASSERT(!repeatCountValue.isDouble() || repeatCountValue.asDouble() == repeatCount); > >- auto viewWithString = string->viewWithUnderlyingString(exec); >- StringView view = viewWithString.view; >- ASSERT(view.length() == 1); >- scope.assertNoException(); >- UChar character = view[0]; > scope.release(); > if (!(character & ~0xff)) > return JSValue::encode(repeatCharacter(*exec, static_cast<LChar>(character), repeatCount)); >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index dbd5b3c9aa08d93ba5f21dfcc232013e8b813ae2..78352dacdd27be16281d4a3594d1d908306f25c9 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,14 @@ >+2018-12-19 Tadeu Zagallo <tzagallo@apple.com> >+ >+ stringProtoFuncRepeatCharacter overflow is not caught with 16-bit character times 2**30 >+ https://bugs.webkit.org/show_bug.cgi?id=192853 >+ <rdar://problem/45726906> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/string-16bit-repeat-overflow.js: Added. >+ (catch): >+ > 2018-12-18 Ross Kirsling <ross.kirsling@sony.com> > > Error message for `-x ** y` contains a typo. >diff --git a/JSTests/stress/string-16bit-repeat-overflow.js b/JSTests/stress/string-16bit-repeat-overflow.js >new file mode 100644 >index 0000000000000000000000000000000000000000..bc724fbf62bc86786d7b0ed775a53c1077e5ee79 >--- /dev/null >+++ b/JSTests/stress/string-16bit-repeat-overflow.js >@@ -0,0 +1,9 @@ >+var exception; >+try { >+ print('\ud000'.repeat(2**30)); >+} catch (e) { >+ exception = e; >+} >+ >+if (exception != "Error: Out of memory") >+ throw "FAILED";
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=357678">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192853
:
357678
|
357741
|
357811