[Webkit-unassigned] [Bug 182473] New: Crash caused by Integer Overflow

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Feb 4 21:11:50 PST 2018 

https://bugs.webkit.org/show_bug.cgi?id=182473

            Bug ID: 182473
           Summary: Crash caused by Integer Overflow
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sunlili at ict.ac.cn

Hi,

    Following code will cause JavaSciptCore crash.
    Run in webkitgtk-2.19.6. Some older versions(2.18.5) will crash too.

Code:
var ch = String.prototype.repeat.call("2", 1<<30);
let identi_arr={
    "ch":ch,
};
print("ch generated")
JSON.stringify(identi_arr);
print("json finish")

Output:
ch generated
1   0x7f0e85e34841 WTFCrash
2   0x46765e WTF::CrashOnOverflow::hasOverflowed() const
3   0x467655 WTF::CrashOnOverflow::crash()
4   0x7f0e85028210 JSC::CompleteSubspace* JSC::JSCell::subspaceFor<JSC::JSSet>(JSC::VM&)
5   0x7f0e85e8d11a
6   0x7f0e85e8cc2d
7   0x7f0e85e8c8f3 WTF::StringBuilder::appendQuotedJSONString(WTF::String const&)
8   0x7f0e85b06a94 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
9   0x7f0e85b077ce JSC::Stringifier::Holder::appendNextProperty(JSC::Stringifier&, WTF::StringBuilder&)
10  0x7f0e85b06dee JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
11  0x7f0e85b063d5 JSC::Stringifier::stringify(JSC::JSValue)
12  0x7f0e85b091fa JSC::JSONProtoFuncStringify(JSC::ExecState*)
13  0x7f0e3f3ff178
Segmentation fault (core dumped)

Reason: 
The ch string is too large, when calculate the maximumCapacityRequired for it, an Integer Overflow be detected in StringBuilder::appendQuotedJSONString(const String& string).

BT group
2018/2/5

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180205/7d35d2e2/attachment.html>

More information about the webkit-unassigned mailing list