Bug 302183
| Summary: | [JSC] describe function attempts to create a WTF::String larger than WTF::String::MaxLength | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Anthony Tarbinian <a.tarbinian> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Minor | CC: | webkit-bug-importer |
| Priority: | P3 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Anthony Tarbinian
rdar://160097620
The `describe` JS function returns a String that contains additional metadata to "describe" the original entity passed in. For example, `describe(“hello”)` results in a string that looks like `String (atomic),8Bit:(1),length:(5): hello, StructureID: 16777808`. Under the hood, `describe` constructs a new string with additional metadata and converts it to a `WTF::String`.
The problem is that while the original string passed into `describe` is under the `WTF::String` limit (`WTF::String::MaxLength`), it's possible for the extra metadata to push the length of the resulting string over the limit. Then, when `describe` goes to convert the result into a `WTF::String` JSC can crash from a `RELEASE_ASSERT` enforcing the size of the resulting string.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Anthony Tarbinian
Pull request: https://github.com/WebKit/WebKit/pull/53614
EWS
Committed 302798@main (11dd0ceefa42): <https://commits.webkit.org/302798@main>
Reviewed commits have been landed. Closing PR #53614 and removing active labels.