[Webkit-unassigned] [Bug 187947] New: JavaScript string corruption using RegExp with unicode character

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 24 01:19:14 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=187947

            Bug ID: 187947
           Summary: JavaScript string corruption using RegExp with unicode
                    character
           Product: WebKit
           Version: Safari 11
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: lukeongaro+bugzilla at gmail.com

When a 2-bytes unicode character is removed from a JavaScript string, a combination of using the string as an object key, and string concatenation can corrupt the string with null bytes.

Steps to Reproduce:

Running this snippet on Safari, verified at least on Version 11.1.1 (13605.2.8), reproduces the bug (see notes below):

https://gist.github.com/lucaong/a7d7a2eee869e2c7afe8b59fc0dfda2b

Here is a JSFiddle of the same snippet (read comment): https://jsfiddle.net/DukeLeNoir/mkrfw4g8/

Expected Results vs Actual Result:

The script would be expected to find both strings as keys in the object, and therefore alert "All fine" twice. That's indeed what happens on other browsers.

On Safari, the script instead alerts twice, the second time from a code path that should not occur. If the alert text is copied and pasted into a file and inspected with a hex dump tool (like xdd), the string is found to be corrupted with unexpected null bytes, explaining why it was not found as a key in the object.
Calling any String.prototype method on the corrupted string before using it to index the object "fixes" it (even without using the method return value). Other operations that "fix" the corrupted string are using it in a comparison, logging it with console.log, or accessing one of its characters with [].

This affects Safari Version 11.1.1 (13605.2.8) and Safari for iOS, but other versions are likely affected, as shown in this bug report for a popular JavaScript library, caused by the same root issue: https://github.com/olivernn/lunr.js/issues/279

The provided script seems to be the minimum needed to reproduce the bug: using shorter strings, skipping the character enumeration, or any other operation done in this short script seems to cause the bug to disappear.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180724/26126454/attachment.html>

More information about the webkit-unassigned mailing list