Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5deaf3ecdf97cf9e9e8c4b3c649c6acb4264030c
https://github.com/WebKit/WebKit/commit/5deaf3ecdf97cf9e9e8c4b3c649c6acb4264030c
Author: Mark Lam <[email protected]>
Date: 2025-03-14 (Fri, 14 Mar 2025)
Changed paths:
A JSTests/stress/json-stringify-out-of-memory.js
M Source/WTF/wtf/text/StringBuilderJSON.cpp
Log Message:
-----------
StringBuilder::appendQuotedJSONString() should handle OOME more gracefully.
https://bugs.webkit.org/show_bug.cgi?id=289232
rdar://146943330
Reviewed by Yusuke Suzuki.
The saturatedSum in StringBuilder::appendQuotedJSONString() should use uint32_t
instead of int32_t.
This is because INT_MAX is a valid capacity. If the requested
stringLengthValue gets saturated to
INT_MAX, we'll mistakenly think that there's enough buffer space to handle
appending the string
when we actually need more memory.
The fix is simply to use saturatedSum<uint32_t> instead. As a result, a
stringLengthValue that is
greater than INT_MAX won't saturate it, but will still be rejected when by the
underlying buffer
allocator, which is the StringImpl allocator, which will reject allocations
above INT_MAX. In the
event that saturatedSum<uint32_t> does saturate, it will saturate to UINT_MAX,
and will still be
rejected by the underlying buffer allocator.
* JSTests/stress/json-stringify-out-of-memory.js: Added.
(catch):
* Source/WTF/wtf/text/StringBuilderJSON.cpp:
(WTF::StringBuilder::appendQuotedJSONString):
Canonical link: https://commits.webkit.org/292170@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
