String overflow when using StringBuilder in JSC::createError
authordinfuehr@igalia.com <dinfuehr@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Mar 2019 21:42:17 +0000 (21:42 +0000)
committerdinfuehr@igalia.com <dinfuehr@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Mar 2019 21:42:17 +0000 (21:42 +0000)
commit368f333da895537da3238ad3d6e89cc248e0348e
treecd5361a33e5b3bfece34fb799af255581caa3b9d
parent3661909f106e4c70919f1b8441bd8ad2aee2ad32
String overflow when using StringBuilder in JSC::createError
https://bugs.webkit.org/show_bug.cgi?id=194957

Reviewed by Mark Lam.

JSTests:

Add test string-overflow-createError-bulder.js that overflows
StringBuilder in notAFunctionSourceAppender. The second new test
string-overflow-createError-fit.js has an error message that doesn't
overflow, it still failed since the String's capacity can't be doubled.
Run test string-overflow-createError.js only in the default
configuration to reduce memory consumption when running the test
in all configurations on multiple CPUs in parallel.

* stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
(catch):
* stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
(catch):
* stress/string-overflow-createError.js:

Source/JavaScriptCore:

StringBuilder in notAFunctionSourceAppender didn't check
for overflows but just failed.

* runtime/ExceptionHelpers.cpp:
(JSC::notAFunctionSourceAppender):

Source/WTF:

When calculating the new capacity of a StringBuilder object,
use a limit of MaxLength instead of MaxLength+1.  Allocating
a string of size MaxLength+1 always fails. This means that expanding
a StringBuilder only worked when the newly doubled capacity is less or
equal to MaxLength.

* wtf/text/StringBuilder.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242910 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/string-overflow-createError-builder.js [new file with mode: 0644]
JSTests/stress/string-overflow-createError-fit.js [new file with mode: 0644]
JSTests/stress/string-overflow-createError.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ExceptionHelpers.cpp
Source/WTF/ChangeLog
Source/WTF/wtf/text/StringBuilder.cpp