RESOLVED DUPLICATE of bug 183894 182473
Crash caused by Integer Overflow 
https://bugs.webkit.org/show_bug.cgi?id=182473
Summary Crash caused by Integer Overflow
sunlili
Reported 2018-02-04 21:11:50 PST
Hi, Following code will cause JavaSciptCore crash. Run in webkitgtk-2.19.6. Some older versions(2.18.5) will crash too. Code: var ch = String.prototype.repeat.call("2", 1<<30); let identi_arr={ "ch":ch, }; print("ch generated") JSON.stringify(identi_arr); print("json finish") Output: ch generated 1 0x7f0e85e34841 WTFCrash 2 0x46765e WTF::CrashOnOverflow::hasOverflowed() const 3 0x467655 WTF::CrashOnOverflow::crash() 4 0x7f0e85028210 JSC::CompleteSubspace* JSC::JSCell::subspaceFor<JSC::JSSet>(JSC::VM&) 5 0x7f0e85e8d11a 6 0x7f0e85e8cc2d 7 0x7f0e85e8c8f3 WTF::StringBuilder::appendQuotedJSONString(WTF::String const&) 8 0x7f0e85b06a94 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&) 9 0x7f0e85b077ce JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&) 10 0x7f0e85b06dee JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&) 11 0x7f0e85b063d5 JSC::Stringifier::stringify(JSC::JSValue) 12 0x7f0e85b091fa JSC::JSONProtoFuncStringify(JSC::ExecState*) 13 0x7f0e3f3ff178 Segmentation fault (core dumped) Reason: The ch string is too large, when calculate the maximumCapacityRequired for it, an Integer Overflow be detected in StringBuilder::appendQuotedJSONString(const String& string). BT group 2018/2/5
Attachments
Add attachment proposed patch, testcase, etc.
Robin Morisset
Comment 1 2018-03-30 07:49:56 PDT
*** This bug has been marked as a duplicate of bug 183894 ***
Note You need to log in before you can comment on or make changes to this bug.