280593 2024-09-29 16:52:00 -0700 TextDecoder raises "RangeError: Bad value" exception after 2GB of text 2025-04-08 07:41:07 -0700 1 1 1 Unclassified WebKit DOM Safari 18 Mac (Apple Silicon) macOS 15 RESOLVED FIXED InRadar P2 Normal --- 1 jacob achristensen achristensen alec ap cdumez darin erik webkit-bug-importer webkit oldest_to_newest 2064136 0 472732 jacob 2024-09-29 16:52:00 -0700 Created attachment 472732 Test page demonstrating error after 2GB of text decoding TextDecoder seems to crash after processing 2GB of text in streaming mode. ## Steps to reproduce: 1. Create a 3GB test file using: truncate -s 3G test.txt 2. Open textdecoder-test.html (attached to this bug) in Safari 3. Click "choose file" and select the test.txt created in step 1 4. Observe the progress bar stops at 2.00GB and then an error is logged to the console: "Unhandled Promise Rejection: RangeError: Bad value" ## Expected behavior: No error -- should be able to continue parsing text beyond the 2GB range. ## Notes: Works as expected in Chrome and Firefox. 2065739 1 webkit-bug-importer 2024-10-06 16:52:13 -0700 <rdar://problem/137394167> 2100532 2 webkit 2025-03-04 22:57:20 -0800 Minimal replication: ``` const text = new TextDecoder() const buff = new ArrayBuffer(100) for (let i = 0; i < 21474837; i++) { text.decode(buff) } ``` This will see the same error. If you change 21474837 to 21474836, it will run normally. 2100640 3 darin 2025-03-05 09:09:17 -0800 There is currently code in TextDecoder that keeps track of the total number of decoded bytes passed in, and throws a range error if that total number of decoded bytes is greater than the maximum string length supported by WebKit and its JavaScript engine. I’m not sure why that check is present. The simplest way to start fixing this bug is to remove TextDecoder::m_decodedBytes and the code that checks it entirely. Next, we have to figure out if TextDecoder handles cases where the passed in data is very large. This check may have been protecting the underlying code from being tested in various edge cases, and we’d want to fix those. But it’s possible that just removing m_decodedBytes will take care of the whole problem without requiring any additional work. 2100650 4 darin 2025-03-05 09:17:44 -0800 This limit was added to try to address a security problem with producing output strings that are too long. But the code change instead limited the total number of characters passed in to each codec, which is stricter than is needed. To fix this we need to correctly address the original security issue by making sure codecs can never produce a string larger than the maximum string length, and remove TextDecoder::m_decodedBytes since it will no longer be necessary. It’s unsafe to remove TextDecoder::m_decodedBytes without addressing the underlying issue of TextCodec decode functions producing strings that are too long. 2101550 5 darin 2025-03-07 16:41:22 -0800 Not to "try" to address a security problem. It successfully addressed the security problem. 2103924 6 jacob 2025-03-17 21:22:55 -0700 Here is an example workaround that I ended up using for this issue – just create a new TextDecoder every so often: https://github.com/jtbandes/mbox.wtf/blob/e039291e70160700c47a6876a41db967375e631e/src/readLines.ts#L20-L32 2109223 7 erik 2025-04-05 22:49:32 -0700 We have a long running wasm application that hits this problem very often, affecting thousands of users of Safari every week. wasm-bindgen (Rust) generates this piece code for every app using it: ``` const lTextEncoder = typeof TextEncoder === 'undefined' ? (0, module.require)('util').TextEncoder : TextEncoder; let cachedTextEncoder = new lTextEncoder('utf-8'); function getStringFromWasm0(ptr, len) { ptr = ptr >>> 0; return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len)); } ``` And then getStringFromWasm0 gets used for everything that needs to do JS things with Rust strings. 2109227 8 erik 2025-04-06 00:09:01 -0700 Sorry, I copied the wrong snippet, this is the correct one: ``` const lTextDecoder = typeof TextDecoder === 'undefined' ? (0, module.require)('util').TextDecoder : TextDecoder; let cachedTextDecoder = new lTextDecoder('utf-8', { ignoreBOM: true, fatal: true }); function getStringFromWasm0(ptr, len) { ptr = ptr >>> 0; return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len)); } ``` 2109464 9 darin 2025-04-07 11:14:42 -0700 Understood. The reason this hasn’t been fixed quickly is that it’s challenging to fix this problem without reintroducing the security vulnerability. 2109476 10 achristensen 2025-04-07 11:52:41 -0700 Pull request: https://github.com/WebKit/WebKit/pull/43753 2109705 11 ews-feeder 2025-04-08 07:41:04 -0700 Committed 293416@main (8c5a1e5c6db5): <https://commits.webkit.org/293416@main> Reviewed commits have been landed. Closing PR #43753 and removing active labels. 472732 2024-09-29 16:52:00 -0700 2024-09-29 16:52:00 -0700 Test page demonstrating error after 2GB of text decoding textdecoder-test.html text/html 1243 jacob PCFkb2N0eXBlIGh0bWw+CjxodG1sPgoKPGhlYWQ+CjwvaGVhZD4KCjxib2R5PgogICAgPGlucHV0 IHR5cGU9ImZpbGUiIC8+CiAgICA8cHJvZ3Jlc3MgaWQ9InByb2dyZXNzIiB2YWx1ZT0iMCI+PC9w cm9ncmVzcz4KICAgIDxzcGFuIGlkPSJwcm9ncmVzcy10ZXh0Ij48L3NwYW4+CiAgICA8c2NyaXB0 PgogICAgICAgIGNvbnN0IHByb2dyZXNzID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoInByb2dy ZXNzIik7CiAgICAgICAgY29uc3QgcHJvZ3Jlc3NUZXh0ID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5 SWQoInByb2dyZXNzLXRleHQiKTsKICAgICAgICBkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCJpbnB1 dCIpLmFkZEV2ZW50TGlzdGVuZXIoJ2NoYW5nZScsIGFzeW5jIChldmVudCkgPT4gewogICAgICAg ICAgICBjb25zb2xlLmxvZygiZ290IGZpbGUiKTsKICAgICAgICAgICAgY29uc3QgZmlsZSA9IGV2 ZW50LnRhcmdldC5maWxlc1swXTsKICAgICAgICAgICAgY29uc3QgQ0hVTktfU0laRSA9IDEwMjQg KiAxMDI0OwogICAgICAgICAgICBjb25zdCBCWVRFU19QRVJfR0IgPSAxMDI0ICogMTAyNCAqIDEw MjQ7CiAgICAgICAgICAgIGNvbnN0IGRlY29kZXIgPSBuZXcgVGV4dERlY29kZXIoKTsKICAgICAg ICAgICAgZm9yIChsZXQgb2Zmc2V0ID0gMDsgb2Zmc2V0IDwgZmlsZS5zaXplOyBvZmZzZXQgKz0g Q0hVTktfU0laRSkgewogICAgICAgICAgICAgICAgY29uc3QgZG9uZSA9IG9mZnNldCArIENIVU5L X1NJWkUgPj0gZmlsZS5zaXplOwogICAgICAgICAgICAgICAgY29uc3QgY2h1bmsgPSBhd2FpdCBm aWxlLnNsaWNlKG9mZnNldCwgb2Zmc2V0ICsgQ0hVTktfU0laRSkuYXJyYXlCdWZmZXIoKTsKICAg ICAgICAgICAgICAgIGNvbnN0IHRleHQgPSBkZWNvZGVyLmRlY29kZShuZXcgVWludDhBcnJheShj aHVuayksIHsgc3RyZWFtOiAhZG9uZSB9KTsKICAgICAgICAgICAgICAgIGNvbnN0IGJ5dGVzUmVh ZCA9IG9mZnNldCArIGNodW5rLmJ5dGVMZW5ndGg7CiAgICAgICAgICAgICAgICBwcm9ncmVzcy52 YWx1ZSA9IGJ5dGVzUmVhZCAvIGZpbGUuc2l6ZTsKICAgICAgICAgICAgICAgIHByb2dyZXNzVGV4 dC50ZXh0Q29udGVudCA9IGAkeyhieXRlc1JlYWQgLyBCWVRFU19QRVJfR0IpLnRvRml4ZWQoMil9 IEdpQiAoJHsocHJvZ3Jlc3MudmFsdWUgKiAxMDApLnRvRml4ZWQoMSl9JSlgOwogICAgICAgICAg ICB9CiAgICAgICAgfSk7CiAgICA8L3NjcmlwdD4KPC9ib2R5PgoKPC9odG1sPg==