190392 – StringTypeAdapter constructor is not properly enforcing String::MaxLength.

Bug 190392 - StringTypeAdapter constructor is not properly enforcing String::MaxLength.

Summary: StringTypeAdapter constructor is not properly enforcing String::MaxLength.

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:
Keywords:	InRadar

Depends on:	190187
Blocks:
	Show dependency tree / graph

Reported:	2018-10-08 21:51 PDT by Mark Lam
Modified:	2018-10-09 11:16 PDT (History)
CC List:	15 users (show)

See Also:

Attachments
proposed patch. (2.36 KB, patch) 2018-10-08 22:26 PDT, Mark Lam	no flags	Details \| Formatted Diff \| Diff
proposed patch. (2.26 KB, patch) 2018-10-08 22:31 PDT, Mark Lam	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2018-10-08 21:51:24 PDT

Fix coming.

Comment 1 Radar WebKit Bug Importer 2018-10-08 21:51:59 PDT

<rdar://problem/45116210>

Comment 2 Mark Lam 2018-10-08 22:26:07 PDT

Created attachment 351858 [details]
proposed patch.

Comment 3 Mark Lam 2018-10-08 22:31:34 PDT

Created attachment 351859 [details]
proposed patch.

Comment 4 Saam Barati 2018-10-09 09:08:52 PDT

Comment on attachment 351859 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=351859&action=review

> Source/WTF/ChangeLog:11
> +        length a size_t which removes this issue, and assert that it's within

We’re ok with this not working on 32bit? Maybe just use uint64_t directly?

Comment 5 Saam Barati 2018-10-09 09:10:17 PDT

Comment on attachment 351859 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=351859&action=review

>> Source/WTF/ChangeLog:11
>> +        length a size_t which removes this issue, and assert that it's within
> 
> We’re ok with this not working on 32bit? Maybe just use uint64_t directly?

I guess on 32bit we’re limited by address space.

Comment 6 Mark Lam 2018-10-09 10:50:13 PDT

Comment on attachment 351859 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=351859&action=review

Thanks for the review.

>>> Source/WTF/ChangeLog:11
>>> +        length a size_t which removes this issue, and assert that it's within
>> 
>> We’re ok with this not working on 32bit? Maybe just use uint64_t directly?
> 
> I guess on 32bit we’re limited by address space.

Yes, this works on 32-bit because the string is limited by the address space.  This is by design.

Comment 7 WebKit Commit Bot 2018-10-09 11:16:04 PDT

Comment on attachment 351859 [details]
proposed patch.

Clearing flags on attachment: 351859

Committed r236969: <https://trac.webkit.org/changeset/236969>

Comment 8 WebKit Commit Bot 2018-10-09 11:16:06 PDT

All reviewed patches have been landed.  Closing bug.