313333 – [WTF] Fix crash in utf8ForCharacters when string ends with unpaired surrogate

RESOLVED FIXED313333

[WTF] Fix crash in utf8ForCharacters when string ends with unpaired surrogate

https://bugs.webkit.org/show_bug.cgi?id=313333

Summary [WTF] Fix crash in utf8ForCharacters when string ends with unpaired surrogate

Kristian Monsen

Reported 2026-04-25 22:11:15 PDT

StringImpl::tryGetUTF8ForCharacters allocates the UTF-8 output buffer using simdutf::utf8_length_from_utf16, which over-estimates the required size for unpaired surrogates. For example, 31 three-byte BMP code points (\u0800–\uFFFF) followed by one unpaired high surrogate (\uD800) results in a simdutf estimate of 97 bytes, even though the true maximum is 32 × 3 = 96 bytes.

Attachments
Add attachment proposed patch, testcase, etc.

Kristian Monsen

Comment 1 2026-04-25 22:11:16 PDT

<rdar://problem/174924192>

Kristian Monsen

Comment 2 2026-04-25 22:21:37 PDT

Pull request: https://github.com/WebKit/WebKit/pull/63614

EWS

Comment 3 2026-04-26 17:29:09 PDT

Committed 312057@main (fd0db67fd877): <https://commits.webkit.org/312057@main> Reviewed commits have been landed. Closing PR #63614 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Web Template Framework

Assignee

Kristian Monsen

Reported

2026-04-25 22:11 PDT

Modified

2026-04-26 17:29 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks