From d1cfdd08a8989e561ab21bb6d596ce9781fd90a7 Mon Sep 17 00:00:00 2001
From: Yusuke Suzuki <ysuzuki@apple.com>
Date: Mon, 8 May 2023 16:02:13 -0700
Subject: [PATCH] Cherry-pick 970f62aaf87c. rdar://problem/109053647

    Unreviewed, use previous length checking in JSON.stringify
    https://bugs.webkit.org/show_bug.cgi?id=256494
    rdar://109053647

    FastStringifier is not using m_buffer entirely. So it is separately tracking m_capacity right now.
    This design looks very strange, but let's stick with it.

    * Source/JavaScriptCore/runtime/JSONObject.cpp:
    (JSC::FastStringifier::append):

    Canonical link: https://commits.webkit.org/263834@main

Identifier: 263769.4@safari-7616.1.14-branch
---
 Source/JavaScriptCore/runtime/JSONObject.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/Source/JavaScriptCore/runtime/JSONObject.cpp b/Source/JavaScriptCore/runtime/JSONObject.cpp
index 411d98a6e7d5..ac58f36068af 100644
--- a/Source/JavaScriptCore/runtime/JSONObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSONObject.cpp
@@ -974,12 +974,14 @@ void FastStringifier::append(JSValue value)
 
     if (value.isInt32()) {
         auto number = value.asInt32();
-        char* cursor = reinterpret_cast<char*>(m_buffer) + m_length;
-        auto result = std::to_chars(cursor, reinterpret_cast<char*>(m_buffer + sizeof(m_buffer)), number);
-        if (UNLIKELY(result.ec == std::errc::value_too_large)) {
+        constexpr unsigned maxInt32StringLength = 11; // -INT32_MIN, "-2147483648".
+        if (UNLIKELY(!hasRemainingCapacity(maxInt32StringLength))) {
             recordBufferFull();
             return;
         }
+        char* cursor = reinterpret_cast<char*>(m_buffer) + m_length;
+        auto result = std::to_chars(cursor, cursor + maxInt32StringLength, number);
+        ASSERT(result.ec != std::errc::value_too_large);
         m_length += result.ptr - cursor;
         return;
     }