Bug 299452
| Summary: | [JSC] Stack overflow with destructor chain after JSON.parse with deeply nested JSON | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Anthony Tarbinian <a.tarbinian> |
| Component: | JavaScriptCore | Assignee: | WebKit Security Group <webkit-security-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, webkit-bug-importer |
| Priority: | P1 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Anthony Tarbinian
rdar://158627869
When calling JSON.parse with a reviver function (https://tc39.es/ecma262/multipage/structured-data.html#sec-json.parse) passed in, a deeply nested JSON object (about 6000) levels deep will trigger a stack overflow. This is due to the destructor for the `ranges` variable being invoked when it goes out of scope at the end of the `jsonParseSlow` function in JSONObject.cpp (https://searchfox.org/wubkat/source/Source/JavaScriptCore/runtime/JSONObject.cpp#1814-1844).
The actual contents of the reviver function are not significant. The bug still reproduces with a reviver function which leaves the values unchanged. However, a reviver function does need to be passed in to take the code path for `jsonParseSlow` (https://searchfox.org/wubkat/source/Source/JavaScriptCore/runtime/JSONObject.cpp#1856-1861).
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Anthony Tarbinian
Pull request: https://github.com/apple/WebKit/pull/3705
Anthony Tarbinian
Pull request: https://github.com/WebKit/WebKit/pull/51282
EWS
Committed 301098@main (06f13ed8ff16): <https://commits.webkit.org/301098@main>
Reviewed commits have been landed. Closing PR #51282 and removing active labels.