Stringifier::appendStringifiedValue() is missing an exception check.

https://bugs.webkit.org/show_bug.cgi?id=178386 <rdar://problem/35027610> Reviewed by Saam Barati. JSTests: * stress/regress-178386.js: Added. Source/JavaScriptCore: * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): Canonical link: https://commits.webkit.org/194743@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@223731 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Oct 20, 2017 · 4c76d71 · 4c76d71
1 parent ed5b59e
commit 4c76d71
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 1 deletion.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,13 @@
+2017-10-19  Mark Lam  <mark.lam@apple.com>
+
+        Stringifier::appendStringifiedValue() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=178386
+        <rdar://problem/35027610>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-178386.js: Added.
+
 2017-10-19  Michael Saboff  <msaboff@apple.com>
 
         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation

diff --git a/JSTests/stress/regress-178386.js b/JSTests/stress/regress-178386.js
@@ -0,0 +1,12 @@
+var str1 = String.fromCharCode(136, 115, 29, 20, 15, 155, 81);
+str3 = str1.padEnd(0x7FFFFFFC, '123');
+
+var exception;
+try {
+    JSON.stringify(str3);
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "Error: Out of memory")
+    throw "FAILED";
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,14 @@
+2017-10-19  Mark Lam  <mark.lam@apple.com>
+
+        Stringifier::appendStringifiedValue() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=178386
+        <rdar://problem/35027610>
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::appendStringifiedValue):
+
 2017-10-19  Saam Barati  <sbarati@apple.com>
 
         REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning: comparison is always false due to limited range of data type [-Wtype-limits]

diff --git a/Source/JavaScriptCore/runtime/JSONObject.cpp b/Source/JavaScriptCore/runtime/JSONObject.cpp
@@ -355,7 +355,9 @@ Stringifier::StringifyResult Stringifier::appendStringifiedValue(StringBuilder&
     }
 
     if (value.isString()) {
-        builder.appendQuotedJSONString(asString(value)->value(m_exec));
+        const String& string = asString(value)->value(m_exec);
+        RETURN_IF_EXCEPTION(scope, StringifyFailed);
+        builder.appendQuotedJSONString(string);
         return StringifySucceeded;
     }