RESOLVED FIXED 212847
Make CodeBlockHash robust against unreasonably long source code. 
https://bugs.webkit.org/show_bug.cgi?id=212847
Summary Make CodeBlockHash robust against unreasonably long source code.
Mark Lam
Reported 2020-06-05 14:15:20 PDT
<rdar://problem/64024279>
Attachments
proposed patch. (3.35 KB, patch)
2020-06-05 14:29 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
proposed patch. (4.14 KB, patch)
2020-06-05 15:03 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
proposed patch. (3.56 KB, patch)
2020-06-05 15:48 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2020-06-05 14:29:09 PDT
Created attachment 401200 [details] proposed patch.
Saam Barati
Comment 2 2020-06-05 14:34:18 PDT
Comment on attachment 401200 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=401200&action=review > Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:51 > + constexpr int maxSourceCodeLengthToHash = 500 * MB; should be size_t > Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:59 > + m_hash = sourceCode.length() ^ 0x2d5a93d0; could you alternatively just sample 500mb of the source code?
Mark Lam
Comment 3 2020-06-05 15:02:52 PDT
Comment on attachment 401200 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=401200&action=review >> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:51 >> + constexpr int maxSourceCodeLengthToHash = 500 * MB; > > should be size_t Sadly, sourceCode.length() is an int, which is what made this an int. But I'll be changing this anyway. >> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:59 >> + m_hash = sourceCode.length() ^ 0x2d5a93d0; > > could you alternatively just sample 500mb of the source code? Will do.
Mark Lam
Comment 4 2020-06-05 15:03:22 PDT
Created attachment 401204 [details] proposed patch.
Mark Lam
Comment 5 2020-06-05 15:48:34 PDT
Created attachment 401210 [details] proposed patch.
Saam Barati
Comment 6 2020-06-05 16:06:01 PDT
Comment on attachment 401210 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=401210&action=review > Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:67 > + UChar character = str[index]; what guarantees this doesn't read OOB? Why not just make this look at 500*MB characters? Seems more straight forward than this.
Mark Lam
Comment 7 2020-06-05 16:17:32 PDT
Comment on attachment 401210 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=401210&action=review >> Source/JavaScriptCore/bytecode/CodeBlockHash.cpp:67 >> + UChar character = str[index]; > > what guarantees this doesn't read OOB? > > Why not just make this look at 500*MB characters? Seems more straight forward than this. Spoke with Saam offline. Just to make it clear for others, index is guaranteed to be < length, and we're using StringView::length() and StringView::operator[] here. There's no risk of overflow. The initial index is always 0, and we know length > 500 MB. So, no overflow there either.
Mark Lam
Comment 8 2020-06-06 07:09:20 PDT
Comment on attachment 401210 [details] proposed patch. Thanks for the review. Landing now.
EWS
Comment 9 2020-06-06 07:11:52 PDT
Committed r262677: <https://trac.webkit.org/changeset/262677> All reviewed patches have been landed. Closing bug and clearing flags on attachment 401210 [details].
Note You need to log in before you can comment on or make changes to this bug.