Bug 190392

Summary: StringTypeAdapter constructor is not properly enforcing String::MaxLength.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, cdumez, cmarcelo, commit-queue, darin, dbates, ews-watchlist, fpizlo, keith_miller, msaboff, rmorisset, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 190187    
Bug Blocks:    
Attachments:
Description Flags
proposed patch.
none
proposed patch. none

Description Mark Lam 2018-10-08 21:51:24 PDT 
Fix coming.
Comment 1 Radar WebKit Bug Importer 2018-10-08 21:51:59 PDT 
<rdar://problem/45116210>
Comment 2 Mark Lam 2018-10-08 22:26:07 PDT 
Created attachment 351858 [details]
proposed patch.
Comment 3 Mark Lam 2018-10-08 22:31:34 PDT 
Created attachment 351859 [details]
proposed patch.
Comment 4 Saam Barati 2018-10-09 09:08:52 PDT 
Comment on attachment 351859 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=351859&action=review

> Source/WTF/ChangeLog:11
> +        length a size_t which removes this issue, and assert that it's within

We’re ok with this not working on 32bit? Maybe just use uint64_t directly?
Comment 5 Saam Barati 2018-10-09 09:10:17 PDT 
Comment on attachment 351859 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=351859&action=review

>> Source/WTF/ChangeLog:11
>> +        length a size_t which removes this issue, and assert that it's within
> 
> We’re ok with this not working on 32bit? Maybe just use uint64_t directly?

I guess on 32bit we’re limited by address space.
Comment 6 Mark Lam 2018-10-09 10:50:13 PDT 
Comment on attachment 351859 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=351859&action=review

Thanks for the review.

>>> Source/WTF/ChangeLog:11
>>> +        length a size_t which removes this issue, and assert that it's within
>> 
>> We’re ok with this not working on 32bit? Maybe just use uint64_t directly?
> 
> I guess on 32bit we’re limited by address space.

Yes, this works on 32-bit because the string is limited by the address space.  This is by design.
Comment 7 WebKit Commit Bot 2018-10-09 11:16:04 PDT 
Comment on attachment 351859 [details]
proposed patch.

Clearing flags on attachment: 351859

Committed r236969: <https://trac.webkit.org/changeset/236969>
Comment 8 WebKit Commit Bot 2018-10-09 11:16:06 PDT 
All reviewed patches have been landed.  Closing bug.