Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (239307 => 239308)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-12-18 02:03:09 UTC (rev 239307)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-12-18 02:03:13 UTC (rev 239308)
@@ -1,3 +1,20 @@
+2018-12-14 Darin Adler <da...@apple.com>
+
+ LiteralParser has a bunch of uses of String::format with untrusted data
+ https://bugs.webkit.org/show_bug.cgi?id=108883
+ rdar://problem/13666409
+
+ Reviewed by Mark Lam.
+
+ * runtime/LiteralParser.cpp:
+ (JSC::LiteralParser<CharType>::Lexer::lex): Use makeString instead of String::format.
+ (JSC::LiteralParser<CharType>::Lexer::lexStringSlow): Ditto.
+ (JSC::LiteralParser<CharType>::parse): Ditto.
+
+ * runtime/LiteralParser.h:
+ (JSC::LiteralParser::getErrorMessage): Use string concatenation instead of
+ String::format.
+
2018-12-13 Mark Lam <mark....@apple.com>
Add a missing exception check.
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/LiteralParser.cpp (239307 => 239308)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/LiteralParser.cpp 2018-12-18 02:03:09 UTC (rev 239307)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/LiteralParser.cpp 2018-12-18 02:03:13 UTC (rev 239308)
@@ -37,6 +37,7 @@
#include "StrongInlines.h"
#include <wtf/ASCIICType.h>
#include <wtf/dtoa.h>
+#include <wtf/text/StringConcatenate.h>
namespace JSC {
@@ -515,7 +516,7 @@
return tokenType;
}
}
- m_lexErrorMessage = String::format("Unrecognized token '%c'", *m_ptr);
+ m_lexErrorMessage = makeString("Unrecognized token '", StringView { m_ptr, 1 }, '\'');
return TokError;
}
@@ -673,7 +674,7 @@
} // uNNNN == 5 characters
for (int i = 1; i < 5; i++) {
if (!isASCIIHexDigit(m_ptr[i])) {
- m_lexErrorMessage = String::format("\"\\%s\" is not a valid unicode escape", String(m_ptr, 5).ascii().data());
+ m_lexErrorMessage = makeString("\"\\", StringView { m_ptr, 5 }, "\" is not a valid unicode escape");
return TokError;
}
}
@@ -687,7 +688,7 @@
m_ptr++;
break;
}
- m_lexErrorMessage = String::format("Invalid escape character %c", *m_ptr);
+ m_lexErrorMessage = makeString("Invalid escape character ", StringView { m_ptr, 1 });
return TokError;
}
}
@@ -995,9 +996,9 @@
case TokIdentifier: {
typename Lexer::LiteralParserTokenPtr token = m_lexer.currentToken();
if (token->stringIs8Bit)
- m_parseErrorMessage = String::format("Unexpected identifier \"%s\"", String(token->stringToken8, token->stringLength).ascii().data());
+ m_parseErrorMessage = makeString("Unexpected identifier \"", StringView { token->stringToken8, token->stringLength }, '"');
else
- m_parseErrorMessage = String::format("Unexpected identifier \"%s\"", String(token->stringToken16, token->stringLength).ascii().data());
+ m_parseErrorMessage = makeString("Unexpected identifier \"", StringView { token->stringToken16, token->stringLength }, '"');
return JSValue();
}
case TokColon:
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/LiteralParser.h (239307 => 239308)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/LiteralParser.h 2018-12-18 02:03:09 UTC (rev 239307)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/LiteralParser.h 2018-12-18 02:03:13 UTC (rev 239308)
@@ -102,9 +102,9 @@
String getErrorMessage()
{
if (!m_lexer.getErrorMessage().isEmpty())
- return String::format("JSON Parse error: %s", m_lexer.getErrorMessage().ascii().data());
+ return "JSON Parse error: " + m_lexer.getErrorMessage();
if (!m_parseErrorMessage.isEmpty())
- return String::format("JSON Parse error: %s", m_parseErrorMessage.ascii().data());
+ return "JSON Parse error: " + m_parseErrorMessage;
return "JSON Parse error: Unable to parse JSON string"_s;
}
