Changeset 230026 in webkit for trunk/Source/JavaScriptCore/runtime/JSONObject.cpp

Timestamp:

Mar 28, 2018, 2:36:44 AM (7 years ago)

Author:

[email protected]

Message:

appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
​https://bugs.webkit.org/show_bug.cgi?id=183894

Reviewed by Saam Barati.

JSTests:

• stress/json-stringified-overflow.js: Added.

(catch):

Source/JavaScriptCore:

Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.

• runtime/JSONObject.cpp:

(JSC::Stringifier::appendStringifiedValue):

Source/WTF:

appendQuotedJSONString now returns a bool indicating whether it succeeded, instead of silently failing when given a string too large
to fit in 4GB.

• wtf/text/StringBuilder.h:
• wtf/text/StringBuilderJSON.cpp:

(WTF::StringBuilder::appendQuotedJSONString):

File:

• trunk/Source/JavaScriptCore/runtime/JSONObject.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/JSONObject.cpp

@@ -358 +358 @@
         const String& string = asString(value)->value(m_exec);
         RETURN_IF_EXCEPTION(scope, StringifyFailed);
-        builder.appendQuotedJSONString(string);
-        return StringifySucceeded;
+        if (builder.appendQuotedJSONString(string))
+            return StringifySucceeded;
+        throwOutOfMemoryError(m_exec, scope);
+        return StringifyFailed;
     }