[Webkit-unassigned] [Bug 187947] New: JavaScript string corruption using RegExp with unicode character
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jul 24 01:19:14 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=187947
Bug ID: 187947
Summary: JavaScript string corruption using RegExp with unicode
character
Product: WebKit
Version: Safari 11
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: lukeongaro+bugzilla at gmail.com
When a 2-bytes unicode character is removed from a JavaScript string, a combination of using the string as an object key, and string concatenation can corrupt the string with null bytes.
Steps to Reproduce:
Running this snippet on Safari, verified at least on Version 11.1.1 (13605.2.8), reproduces the bug (see notes below):
https://gist.github.com/lucaong/a7d7a2eee869e2c7afe8b59fc0dfda2b
Here is a JSFiddle of the same snippet (read comment): https://jsfiddle.net/DukeLeNoir/mkrfw4g8/
Expected Results vs Actual Result:
The script would be expected to find both strings as keys in the object, and therefore alert "All fine" twice. That's indeed what happens on other browsers.
On Safari, the script instead alerts twice, the second time from a code path that should not occur. If the alert text is copied and pasted into a file and inspected with a hex dump tool (like xdd), the string is found to be corrupted with unexpected null bytes, explaining why it was not found as a key in the object.
Calling any String.prototype method on the corrupted string before using it to index the object "fixes" it (even without using the method return value). Other operations that "fix" the corrupted string are using it in a comparison, logging it with console.log, or accessing one of its characters with [].
This affects Safari Version 11.1.1 (13605.2.8) and Safari for iOS, but other versions are likely affected, as shown in this bug report for a popular JavaScript library, caused by the same root issue: https://github.com/olivernn/lunr.js/issues/279
The provided script seems to be the minimum needed to reproduce the bug: using shorter strings, skipping the character enumeration, or any other operation done in this short script seems to cause the bug to disappear.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180724/26126454/attachment.html>
More information about the webkit-unassigned
mailing list