Context Navigation

← Previous Changeset
Next Changeset →

Changeset 279915 in webkit

Timestamp:

Jul 14, 2021 12:15:56 PM (3 years ago)

Author:

mark.lam@apple.com

Message:

Check for out of memory in JSC::globalFuncEscape() and JSC::globalFuncUnescape().
https://bugs.webkit.org/show_bug.cgi?id=227962
rdar://78392251

Reviewed by Yusuke Suzuki.

JSTests:

stress/out-of-memory-in-globalFuncUnescape.js: Added.

Source/JavaScriptCore:

runtime/JSGlobalObjectFunctions.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

Location:

trunk

Files:

: 1 added
: 3 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/out-of-memory-in-globalFuncUnescape.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (6 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r279910
+                      r279915
+-07-14  Mark Lam  <mark.lam@apple.com>
+        Check for out of memory in JSC::globalFuncEscape() and JSC::globalFuncUnescape().
+        https://bugs.webkit.org/show_bug.cgi?id=227962
+        rdar://78392251
+        Reviewed by Yusuke Suzuki.
+        * stress/out-of-memory-in-globalFuncUnescape.js: Added.
 -07-14  Mark Lam  <mark.lam@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r279913
+                      r279915
+-07-14  Mark Lam  <mark.lam@apple.com>
+        Check for out of memory in JSC::globalFuncEscape() and JSC::globalFuncUnescape().
+        https://bugs.webkit.org/show_bug.cgi?id=227962
+        rdar://78392251
+        Reviewed by Yusuke Suzuki.
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
 -07-14  Yusuke Suzuki  <ysuzuki@apple.com>

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

-                      r278253
+                      r279915
 JSC_DEFINE_HOST_FUNCTION(globalFuncEscape, (JSGlobalObject* globalObject, CallFrame* callFrame))
+{
     return JSValue::encode(toStringView(globalObject, callFrame->argument(0), [&] (StringView view) {
+    return JSValue::encode(toStringView(globalObject, callFrame->argument(0), [&] (StringView view) -> JSString* {
         static const Bitmap<256> doNotEscape = makeCharacterBitmap(
             "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 …
         VM& vm = globalObject->vm();
+        StringBuilder builder;
+        auto scope = DECLARE_THROW_SCOPE(vm);
+        StringBuilder builder(StringBuilder::OverflowHandler::RecordOverflow);
         if (view.is8Bit()) {
             const LChar* c = view.characters8();
 …
                     builder.append('%', hex(u, 2));
+            }
+            return jsString(vm, builder.toString());
+        }
+        const UChar* c = view.characters16();
+        for (unsigned k = 0; k < view.length(); k++, c++) {
+            UChar u = c[0];
+            if (u >= doNotEscape.size())
+                builder.append("%u", hex(static_cast<uint8_t>(u >> 8), 2), hex(static_cast<uint8_t>(u), 2));
+            else if (doNotEscape.get(static_cast<LChar>(u)))
+                builder.append(*c);
+            else
+                builder.append('%', hex(u, 2));
+        }
+        } else {
+            const UChar* c = view.characters16();
+            for (unsigned k = 0; k < view.length(); k++, c++) {
+                UChar u = c[0];
+                if (u >= doNotEscape.size())
+                    builder.append("%u", hex(static_cast<uint8_t>(u >> 8), 2), hex(static_cast<uint8_t>(u), 2));
+                else if (doNotEscape.get(static_cast<LChar>(u)))
+                    builder.append(*c);
+                else
+                    builder.append('%', hex(u, 2));
+            }
+        }
+        if (UNLIKELY(builder.hasOverflowed())) {
+            throwOutOfMemoryError(globalObject, scope);
+            return { };
+        }
         return jsString(vm, builder.toString());
     }));
 …
 JSC_DEFINE_HOST_FUNCTION(globalFuncUnescape, (JSGlobalObject* globalObject, CallFrame* callFrame))
+{
     return JSValue::encode(toStringView(globalObject, callFrame->argument(0), [&] (StringView view) {
+    return JSValue::encode(toStringView(globalObject, callFrame->argument(0), [&] (StringView view) -> JSString* {
         // We use int for k and length intentionally since we would like to evaluate
         // the condition `k <= length -6` even if length is less than 6.
 …
         int length = view.length();
+        StringBuilder builder;
+        VM& vm = globalObject->vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
+        StringBuilder builder(StringBuilder::OverflowHandler::RecordOverflow);
         builder.reserveCapacity(length);
 …
+        }
+        return jsString(globalObject->vm(), builder.toString());
+        if (UNLIKELY(builder.hasOverflowed())) {
+            throwOutOfMemoryError(globalObject, scope);
+            return { };
+        }
+        return jsString(vm, builder.toString());
     }));
+}

Note: See TracChangeset for help on using the changeset viewer.