[webkit-changes] [WebKit/WebKit] 0aa654: Update length check in appendQuotedJSONString to a...
Commit Queue
noreply at github.com
Tue Oct 29 09:05:18 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0aa654672af463701ce4b6c7abcecfab18009058
https://github.com/WebKit/WebKit/commit/0aa654672af463701ce4b6c7abcecfab18009058
Author: Mark Lam <mark.lam at apple.com>
Date: 2024-10-29 (Tue, 29 Oct 2024)
Changed paths:
M Source/JavaScriptCore/heap/HeapSnapshotBuilder.cpp
M Source/JavaScriptCore/heap/HeapSnapshotBuilder.h
M Source/JavaScriptCore/jsc.cpp
M Source/WTF/wtf/text/StringBuilderJSON.cpp
Log Message:
-----------
Update length check in appendQuotedJSONString to align with String's max length.
https://bugs.webkit.org/show_bug.cgi?id=281873
rdar://138178439
Reviewed by Keith Miller and Michael Saboff.
`appendQuotedJSONString` currently utilizes a `CheckedUint32`. However, String's
maximum length is MAX_INT, which is the bounds of an `Int32`. Thus, we should
use `CheckedInt32` so that we don't try to create a String that is too long.
Also enhanced HeapSnapshotBuilder to allow customization of how it reacts when it
encounters an imminent overflow by specifying an OverflowAction at construction
time. We then apply OverflowAction::RecordOverflow to the jsc shell's use of
HeapSnapshotBuilder so that it can throw an OOME instead of crashing when imminent
overflow is detected while constructing the HeapSnapshot.
This will unblock fuzzers that fuzzes with the jsc shell's HeapSnapshot functions
though they shouldn't, and thereby, avoids a crash.
The appendQuotedJSONString change was original provided by Daniel Liu.
* Source/JavaScriptCore/heap/HeapSnapshotBuilder.cpp:
(JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
(JSC::HeapSnapshotBuilder::json):
* Source/JavaScriptCore/heap/HeapSnapshotBuilder.h:
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/WTF/wtf/text/StringBuilderJSON.cpp:
(WTF::StringBuilder::appendQuotedJSONString):
Canonical link: https://commits.webkit.org/285840@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list