Ignore:
Timestamp:
Jun 26, 2017, 12:34:21 PM (8 years ago)
Author:
[email protected]
Message:

Crash in JSC::Lexer<unsigned char>::setCode
https://bugs.webkit.org/show_bug.cgi?id=172754

Reviewed by Mark Lam.

JSTests:

  • stress/dont-reserve-huge-capacity-lexer.js: Added.

(catch):

Source/JavaScriptCore:

The lexer was asking one of its buffers to reserve initial space that
was O(text size in bytes). For large sources, this would end up causing
the vector to overflow and crash. This patch changes this code be like
the Lexer's other buffers and to only reserve a small starting buffer.

  • parser/Lexer.cpp:

(JSC::Lexer<T>::setCode):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/parser/Lexer.cpp

    r218111 r218819  
    565565   
    566566    m_buffer8.reserveInitialCapacity(initialReadBufferCapacity);
    567     m_buffer16.reserveInitialCapacity((m_codeEnd - m_code) / 2);
     567    m_buffer16.reserveInitialCapacity(initialReadBufferCapacity);
    568568    m_bufferForRawTemplateString16.reserveInitialCapacity(initialReadBufferCapacity);
    569569   
Note: See TracChangeset for help on using the changeset viewer.