Bug 313333

Summary:	[WTF] Fix crash in utf8ForCharacters when string ends with unpaired surrogate
Product:	WebKit	Reporter:	Kristian Monsen <k_monsen>
Component:	Web Template Framework	Assignee:	Kristian Monsen <k_monsen>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bfulgham, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Kristian Monsen

Reported 2026-04-25 22:11:15 PDT

StringImpl::tryGetUTF8ForCharacters allocates the UTF-8 output buffer using simdutf::utf8_length_from_utf16, which over-estimates the required size for unpaired surrogates. For example, 31 three-byte BMP code points (\u0800–\uFFFF) followed by one unpaired high surrogate (\uD800) results in a simdutf estimate of 97 bytes, even though the true maximum is 32 × 3 = 96 bytes.

Attachments
Add attachment proposed patch, testcase, etc.

Kristian Monsen

Comment 1 2026-04-25 22:11:16 PDT

<rdar://problem/174924192>

Kristian Monsen

Comment 2 2026-04-25 22:21:37 PDT

Pull request: https://github.com/WebKit/WebKit/pull/63614

EWS

Comment 3 2026-04-26 17:29:09 PDT

Committed 312057@main (fd0db67fd877): <https://commits.webkit.org/312057@main> Reviewed commits have been landed. Closing PR #63614 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.