Title: [275818] trunk
- Revision
- 275818
- Author
- [email protected]
- Date
- 2021-04-12 05:26:44 -0700 (Mon, 12 Apr 2021)
Log Message
Out of memory crash with find('a'.repeat(2**30))
https://bugs.webkit.org/show_bug.cgi?id=223787
Source/WebCore:
Patch by Frédéric Wang <[email protected]> on 2021-04-12
Reviewed by Ryosuke Niwa.
SearchBuffer::SearchBuffer allocates a buffer whose capacity is at least 8 times the size of
the searched text and at least 8192. It's possible to hit an out-of-memory crash by passing
a very long string to window.find. Since there is no reason to search for arbitrary large
text, limit it to a maximum length of 64kB.
Test: editing/find/find-long-string-crash.html
* page/DOMWindow.cpp:
(WebCore::DOMWindow::find const): Exit early if the string length is larger than a limit.
LayoutTests:
Patch by Frederic Wang <[email protected]> on 2021-04-12
Reviewed by Ryosuke Niwa.
Add regression test.
* editing/find/find-short-and-long-strings-expected.txt: Added.
* editing/find/find-short-and-long-strings.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (275817 => 275818)
--- trunk/LayoutTests/ChangeLog 2021-04-12 09:26:42 UTC (rev 275817)
+++ trunk/LayoutTests/ChangeLog 2021-04-12 12:26:44 UTC (rev 275818)
@@ -1,3 +1,15 @@
+2021-04-12 Frederic Wang <[email protected]>
+
+ Out of memory crash with find('a'.repeat(2**30))
+ https://bugs.webkit.org/show_bug.cgi?id=223787
+
+ Reviewed by Ryosuke Niwa.
+
+ Add regression test.
+
+ * editing/find/find-short-and-long-strings-expected.txt: Added.
+ * editing/find/find-short-and-long-strings.html: Added.
+
2021-04-11 Cameron McCormack <[email protected]>
Fix initial horizontal scrollbar position when vertical scrollbar is on the left.
Added: trunk/LayoutTests/editing/find/find-short-and-long-strings-expected.txt (0 => 275818)
--- trunk/LayoutTests/editing/find/find-short-and-long-strings-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/find/find-short-and-long-strings-expected.txt 2021-04-12 12:26:44 UTC (rev 275818)
@@ -0,0 +1,10 @@
+PASS textContent.innerText.length is 2**16
+PASS window.find('b') is false
+PASS window.find('a'.repeat(2**5)) is true
+PASS window.find('a'.repeat(2**16 - 1)) is true
+PASS window.find('a'.repeat(2**16)) is false
+PASS window.find('a'.repeat(2**30)) is false
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/editing/find/find-short-and-long-strings.html (0 => 275818)
--- trunk/LayoutTests/editing/find/find-short-and-long-strings.html (rev 0)
+++ trunk/LayoutTests/editing/find/find-short-and-long-strings.html 2021-04-12 12:26:44 UTC (rev 275818)
@@ -0,0 +1,42 @@
+<!doctype>
+<html>
+ <head>
+ <script src=""
+ </head>
+ <body>
+ <p id="description"></p>
+ <div id="console"></div>
+ <div id="textContent"></div>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ // Put text content on the page with 2^16 'a' characters.
+ textContent.append(document.createTextNode('a'.repeat(2**15)));
+ textContent.append(document.createTextNode('a'.repeat(2**15)));
+ shouldBe("textContent.innerText.length", "2**16");
+
+ // Verify that find fails if no match is found.
+ window.getSelection().removeAllRanges();
+ shouldBeFalse("window.find('b')");
+
+ // Verify that find succeeds for a small string.
+ window.getSelection().removeAllRanges();
+ shouldBeTrue("window.find('a'.repeat(2**5))");
+
+ // Verify that find succeeds just below the limit.
+ window.getSelection().removeAllRanges();
+ shouldBeTrue("window.find('a'.repeat(2**16 - 1))");
+
+ // Verify that find fails when reaching WebKit's hardcoded limit.
+ window.getSelection().removeAllRanges();
+ shouldBeFalse("window.find('a'.repeat(2**16))");
+
+ // Verify that very long string does not cause out-of-memory crash.
+ window.getSelection().removeAllRanges();
+ shouldBeFalse("window.find('a'.repeat(2**30))");
+ document.body.removeChild(textContent);
+ </script>
+ <script src=""
+ </body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (275817 => 275818)
--- trunk/Source/WebCore/ChangeLog 2021-04-12 09:26:42 UTC (rev 275817)
+++ trunk/Source/WebCore/ChangeLog 2021-04-12 12:26:44 UTC (rev 275818)
@@ -1,3 +1,20 @@
+2021-04-12 Frédéric Wang <[email protected]>
+
+ Out of memory crash with find('a'.repeat(2**30))
+ https://bugs.webkit.org/show_bug.cgi?id=223787
+
+ Reviewed by Ryosuke Niwa.
+
+ SearchBuffer::SearchBuffer allocates a buffer whose capacity is at least 8 times the size of
+ the searched text and at least 8192. It's possible to hit an out-of-memory crash by passing
+ a very long string to window.find. Since there is no reason to search for arbitrary large
+ text, limit it to a maximum length of 64kB.
+
+ Test: editing/find/find-long-string-crash.html
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::find const): Exit early if the string length is larger than a limit.
+
2021-04-12 Chris Lord <[email protected]>
Refactor font loading to make it possible for Worker to implement it
Modified: trunk/Source/WebCore/page/DOMWindow.cpp (275817 => 275818)
--- trunk/Source/WebCore/page/DOMWindow.cpp 2021-04-12 09:26:42 UTC (rev 275817)
+++ trunk/Source/WebCore/page/DOMWindow.cpp 2021-04-12 12:26:44 UTC (rev 275818)
@@ -1198,7 +1198,10 @@
bool DOMWindow::find(const String& string, bool caseSensitive, bool backwards, bool wrap, bool /*wholeWord*/, bool /*searchInFrames*/, bool /*showDialog*/) const
{
- if (!isCurrentlyDisplayedInFrame())
+ // SearchBuffer allocates memory much larger than the searched string, so it's necessary to limit its length.
+ // Most searches are for a phrase or a paragraph, so an upper limit of 64kB is more than enough in practice.
+ constexpr auto maximumStringLength = std::numeric_limits<uint16_t>::max();
+ if (!isCurrentlyDisplayedInFrame() || string.length() > maximumStringLength)
return false;
// FIXME (13016): Support wholeWord, searchInFrames and showDialog.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
