Bug 182473
| Summary: | Crash caused by Integer Overflow | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | sunlili |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | rmorisset |
| Priority: | P2 | ||
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
sunlili
Hi,
Following code will cause JavaSciptCore crash.
Run in webkitgtk-2.19.6. Some older versions(2.18.5) will crash too.
Code:
var ch = String.prototype.repeat.call("2", 1<<30);
let identi_arr={
"ch":ch,
};
print("ch generated")
JSON.stringify(identi_arr);
print("json finish")
Output:
ch generated
1 0x7f0e85e34841 WTFCrash
2 0x46765e WTF::CrashOnOverflow::hasOverflowed() const
3 0x467655 WTF::CrashOnOverflow::crash()
4 0x7f0e85028210 JSC::CompleteSubspace* JSC::JSCell::subspaceFor<JSC::JSSet>(JSC::VM&)
5 0x7f0e85e8d11a
6 0x7f0e85e8cc2d
7 0x7f0e85e8c8f3 WTF::StringBuilder::appendQuotedJSONString(WTF::String const&)
8 0x7f0e85b06a94 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
9 0x7f0e85b077ce JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&)
10 0x7f0e85b06dee JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
11 0x7f0e85b063d5 JSC::Stringifier::stringify(JSC::JSValue)
12 0x7f0e85b091fa JSC::JSONProtoFuncStringify(JSC::ExecState*)
13 0x7f0e3f3ff178
Segmentation fault (core dumped)
Reason:
The ch string is too large, when calculate the maximumCapacityRequired for it, an Integer Overflow be detected in StringBuilder::appendQuotedJSONString(const String& string).
BT group
2018/2/5
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Robin Morisset
*** This bug has been marked as a duplicate of bug 183894 ***