Bug 194957

Summary: String overflow when using StringBuilder in JSC::createError
Product: WebKit Reporter: Dominik Inführ <dominik.infuehr>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, cdumez, cmarcelo, commit-queue, dbates, ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer, xan.lopez, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch none

Dominik Inführ
Reported 2019-02-22 12:07:35 PST
String overflow when using StringBuilder in JSC::createError
Attachments
Patch (6.25 KB, patch)
2019-02-22 12:28 PST, Dominik Inführ 		no flags
DetailsFormatted DiffDiff
Patch (6.44 KB, patch)
2019-02-22 12:44 PST, Dominik Inführ 		no flags
DetailsFormatted DiffDiff
Patch (6.93 KB, patch)
2019-02-22 13:15 PST, Dominik Inführ 		no flags
DetailsFormatted DiffDiff
Patch (6.93 KB, patch)
2019-02-22 13:27 PST, Dominik Inführ 		no flags
DetailsFormatted DiffDiff
Patch (6.93 KB, patch)
2019-02-22 13:29 PST, Dominik Inführ 		no flags
DetailsFormatted DiffDiff
Patch (6.65 KB, patch)
2019-03-07 08:57 PST, Dominik Inführ 		no flags
DetailsFormatted DiffDiff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Dominik Inführ
Comment 1 2019-02-22 12:28:31 PST
Created attachment 362746 [details] Patch
Dominik Inführ
Comment 2 2019-02-22 12:44:53 PST
Created attachment 362751 [details] Patch
Dominik Inführ
Comment 3 2019-02-22 13:15:16 PST
Created attachment 362755 [details] Patch
Mark Lam
Comment 4 2019-02-22 13:15:46 PST
Comment on attachment 362751 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=362751&action=review > Source/JavaScriptCore/runtime/ExceptionHelpers.cpp:213 > + return makeString("object is not a function."); Use makeString("object is not a function." _s) so that we'll create the string using an ASCIILiteral.
Mark Lam
Comment 5 2019-02-22 13:17:09 PST
Comment on attachment 362751 [details] Patch I didn't mean to un-obsolete this patch.
Dominik Inführ
Comment 6 2019-02-22 13:27:03 PST
Created attachment 362757 [details] Patch
Dominik Inführ
Comment 7 2019-02-22 13:29:42 PST
Created attachment 362759 [details] Patch
Dominik Inführ
Comment 8 2019-02-25 12:02:13 PST
Thanks for catching that! I've updated the patch, it should be ready for review!
Mark Lam
Comment 9 2019-02-25 18:02:05 PST
Comment on attachment 362759 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=362759&action=review LGTM in general but can you clarify what you meant in the ChangeLog (see my question below). > Source/WTF/ChangeLog:15 > + When calculating the new capacity of a StringBuilder object, > + use a limit of MaxLength instead of MaxLength+1. Allocating > + a string of size MaxLength+1 always fails, this meant that expanding > + a StringBuilder only works when doubling the capacity is smaller > + than that. A character cannot be appended to a String of size 1.4GB, > + since doubling the capacity doesn't fit into MaxLength anymore. > + Changing the maximum capacity to MaxLength allows this operation to > + succeed. Yeah, this is a bug. All string constructs have a max capacity of MaxLength. I don't know what I was thinking when I added that +1 back then. I would also break up this sentence so that it doesn't run on (plus some suggested edits): Allocating a string of size MaxLength+1 always fails. This means that expanding a StringBuilder only works when the newly doubled capacity is less or equal to MaxLength. Can you clarify this part, "A character cannot be appended to a String of size 1.4GB, since doubling the capacity doesn't fit into MaxLength anymore. Changing the maximum capacity to MaxLength allows this operation to succeed.". I'm not sure I understand that the issue here. Can you give a concrete example of what you meant here, perhaps with values in hex form so that it's easier to see what's happening.
Dominik Inführ
Comment 10 2019-03-07 08:57:22 PST
Created attachment 363879 [details] Patch
Dominik Inführ
Comment 11 2019-03-07 09:01:39 PST
Thanks for the review and your suggestions! About that sentence: I agree, it's quite confusing. I just wanted to give an example for the explanation above. I dropped it now since this example only introduced confusion and your suggestion makes the explanation more clear.
Mark Lam
Comment 12 2019-03-13 14:14:50 PDT
Comment on attachment 363879 [details] Patch r=me
WebKit Commit Bot
Comment 13 2019-03-13 14:42:22 PDT
Comment on attachment 363879 [details] Patch Clearing flags on attachment: 363879 Committed r242910: <https://trac.webkit.org/changeset/242910>
WebKit Commit Bot
Comment 14 2019-03-13 14:42:24 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 15 2019-03-13 14:45:17 PDT
<rdar://problem/48863998>
Note You need to log in before you can comment on or make changes to this bug.