Cherry-pick 970f62a. rdar://problem/109053647

Unreviewed, use previous length checking in JSON.stringify https://bugs.webkit.org/show_bug.cgi?id=256494 rdar://109053647 FastStringifier is not using m_buffer entirely. So it is separately tracking m_capacity right now. This design looks very strange, but let's stick with it. * Source/JavaScriptCore/runtime/JSONObject.cpp: (JSC::FastStringifier::append): Canonical link: https://commits.webkit.org/263834@main Identifier: 263769.4@safari-7616.1.14-branch
WebKit · May 8, 2023 · d1cfdd0 · d1cfdd0
1 parent 0cbfef8
commit d1cfdd0
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/Source/JavaScriptCore/runtime/JSONObject.cpp b/Source/JavaScriptCore/runtime/JSONObject.cpp
@@ -974,12 +974,14 @@ void FastStringifier::append(JSValue value)
 
     if (value.isInt32()) {
         auto number = value.asInt32();
-        char* cursor = reinterpret_cast<char*>(m_buffer) + m_length;
-        auto result = std::to_chars(cursor, reinterpret_cast<char*>(m_buffer + sizeof(m_buffer)), number);
-        if (UNLIKELY(result.ec == std::errc::value_too_large)) {
+        constexpr unsigned maxInt32StringLength = 11; // -INT32_MIN, "-2147483648".
+        if (UNLIKELY(!hasRemainingCapacity(maxInt32StringLength))) {
             recordBufferFull();
             return;
         }
+        char* cursor = reinterpret_cast<char*>(m_buffer) + m_length;
+        auto result = std::to_chars(cursor, cursor + maxInt32StringLength, number);
+        ASSERT(result.ec != std::errc::value_too_large);
         m_length += result.ptr - cursor;
         return;
     }