[Webkit-unassigned] [Bug 194957] String overflow when using StringBuilder in JSC::createError

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Feb 25 18:02:05 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=194957

--- Comment #9 from Mark Lam <mark.lam at apple.com> ---
Comment on attachment 362759
  --> https://bugs.webkit.org/attachment.cgi?id=362759
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=362759&action=review

LGTM in general but can you clarify what you meant in the ChangeLog (see my question below).

> Source/WTF/ChangeLog:15
> +        When calculating the new capacity of a StringBuilder object,
> +        use a limit of MaxLength instead of MaxLength+1.  Allocating
> +        a string of size MaxLength+1 always fails, this meant that expanding
> +        a StringBuilder only works when doubling the capacity is smaller
> +        than that. A character cannot be appended to a String of size 1.4GB,
> +        since doubling the capacity doesn't fit into MaxLength anymore.
> +        Changing the maximum capacity to MaxLength allows this operation to
> +        succeed.

Yeah, this is a bug.  All string constructs have a max capacity of MaxLength.  I don't know what I was thinking when I added that +1 back then.

I would also break up this sentence so that it doesn't run on (plus some suggested edits):
Allocating a string of size MaxLength+1 always fails.  This means that expanding a StringBuilder only works when the newly doubled capacity is less or equal to MaxLength. 

Can you clarify this part, "A character cannot be appended to a String of size 1.4GB, since doubling the capacity doesn't fit into MaxLength anymore.  Changing the maximum capacity to MaxLength allows this operation to succeed.".  I'm not sure I understand that the issue here.  Can you give a concrete example of what you meant here, perhaps with values in hex form so that it's easier to see what's happening.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190226/1cbe2ab0/attachment.html>

More information about the webkit-unassigned mailing list