diff options
| author | Victor Gomes <victorgomes@chromium.org> | 2024-03-21 09:59:19 +0100 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2024-05-31 15:28:53 +0000 |
| commit | 91b3c705d739f6b6c58da6133e8e818e06dfcaa3 (patch) | |
| tree | 4905a42a04739413a33b3e57a399a153041c4868 /chromium | |
| parent | efda8125f55049957e196995dffafb6dc171eadf (diff) | |
[Backport] Security bug 32969960987-based
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5378286:
Deal with large strings in NoSideEffectsErrorToString
If name is too big, StringBuilder will fail to even add
"<a very large string>" suffix.
In this case, we truncate name first.
Bug: 329699609
Change-Id: I6e4440c07eae84371f44b54f88127e2c70af0db5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378286
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#92932}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562708
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium')
| -rw-r--r-- | chromium/v8/src/objects/objects.cc | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc index 7b38609e347..7820c7e8e58 100644 --- a/chromium/v8/src/objects/objects.cc +++ b/chromium/v8/src/objects/objects.cc @@ -425,14 +425,27 @@ Handle<String> NoSideEffectsErrorToString(Isolate* isolate, if (name_str->length() == 0) return msg_str; if (msg_str->length() == 0) return name_str; - IncrementalStringBuilder builder(isolate); - builder.AppendString(name_str); - builder.AppendCString(": "); + constexpr const char error_suffix[] = "<a very large string>"; + constexpr int error_suffix_size = sizeof(error_suffix); + int suffix_size = std::min(error_suffix_size, msg_str->length()); - if (builder.Length() + msg_str->length() <= String::kMaxLength) { - builder.AppendString(msg_str); + IncrementalStringBuilder builder(isolate); + if (name_str->length() + suffix_size + 2 /* ": " */ > String::kMaxLength) { + constexpr const char connector[] = "... : "; + int connector_size = sizeof(connector); + Handle<String> truncated_name = isolate->factory()->NewProperSubString( + name_str, 0, name_str->length() - error_suffix_size - connector_size); + builder.AppendString(truncated_name); + builder.AppendCString(connector); + builder.AppendCString(error_suffix); } else { - builder.AppendCString("<a very large string>"); + builder.AppendString(name_str); + builder.AppendCString(": "); + if (builder.Length() + msg_str->length() <= String::kMaxLength) { + builder.AppendString(msg_str); + } else { + builder.AppendCString(error_suffix); + } } return builder.Finish().ToHandleChecked(); |