RESOLVED FIXED286451
Node::normalize() can overflow destination string, resulting in an assert 
https://bugs.webkit.org/show_bug.cgi?id=286451
Summary Node::normalize() can overflow destination string, resulting in an assert
Pedro Varangot
Reported 2025-01-23 17:14:00 PST
Created attachment 473992 [details] test Example backtrace: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebCore 0x134f726bc WTF::String WTF::makeString<WTF::String, WTF::String>(WTF::String, WTF::String) + 4 (MakeString.h:100) [inlined] 1 WebCore 0x134f726bc WebCore::CharacterData::appendData(WTF::String const&) + 964 (CharacterData.cpp:120) 2 WebCore 0x1352efe14 WebCore::Node::normalize() + 2072 (Node.cpp:797) 3 WebCore 0x1321321e8 WebCore::jsNodePrototypeFunction_normalizeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*)::'lambda'()::operator()() const + 4 (JSNode.cpp:662) [inlined] 4 WebCore 0x1321321e8 JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsNodePrototypeFunction_normalizeBody(JSC::JSGlobalObject*, See attached test for repro.
Attachments
test (800 bytes, text/html)
2025-01-23 17:14 PST, Pedro Varangot 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Pedro Varangot
Comment 1 2025-01-23 17:14:35 PST
<rdar://problem/141028000>
Pedro Varangot
Comment 2 2025-01-24 10:45:55 PST
Pull request: https://github.com/WebKit/WebKit/pull/39479
EWS
Comment 3 2025-01-29 12:47:55 PST
Committed 289518@main (3f975ad6e201): <https://commits.webkit.org/289518@main> Reviewed commits have been landed. Closing PR #39479 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.