Skip to content

Add maximum length limit for JsString #4409

Open
Bug
#5277
Open
Add maximum length limit for JsString#4409
Bug
#5277
Labels
C-VMIssues and PRs related to the Boa Virtual Machine.
@qarmin

Description

@qarmin
qarmin
opened on Sep 5, 2025

Rust code

fn check_file(path: &str) {
    let Ok(file_content) = fs::read(path) else {
        return;
    };
    println!("Checking file: {path}");
    let mut context = Context::default();

    let _result = context.eval(Source::from_bytes(&file_content));
}

when evaluating javascript code(at the bottom should be attached raw, not formatted file - github removes some non-printable characters, so copying from here may not work):

var s = '\u1234--synchronized-----';
for (var i = 0; i < 17; i++) {
  try {
    s += s;
    s += s;
  } catch (e) {
  }
}
s.replace(/a/g);

crashes with this info:

==107372==ERROR: AddressSanitizer: out of memory: allocator is trying to allocate 0x500000010 bytes
    #0 0x55903c849f64 in malloc /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:67:3
    #1 0x55903d659674 in alloc::alloc::alloc::h49adb0d3ebd4ece6 /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/alloc.rs:95:9
    #2 0x55903d659674 in boa_string::JsString::try_allocate_inner::h30dab110f34b866b /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/string/src/lib.rs:693:30
    #3 0x55903d659674 in boa_string::JsString::allocate_inner::h243e0f3c96d50e34 /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/string/src/lib.rs:659:15
    #4 0x55903d296735 in boa_string::JsString::concat_array::h66f08780aead58c5 /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/string/src/lib.rs:601:19
    #5 0x55903d237521 in boa_string::JsString::concat::h2fdf6fbae8b448ca /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/string/src/lib.rs:581:9
    #6 0x55903d237521 in boa_engine::value::operations::_$LT$impl$u20$boa_engine..value..JsValue$GT$::add::h963867058517901f /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/engine/src/string.rs:66:9
    #7 0x55903d346b1e in boa_engine::vm::opcode::binary_ops::macro_defined::Add::operation::hbfa6547091385d83 /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/engine/src/vm/opcode/binary_ops/macro_defined.rs:23:33
    #8 0x55903d346b1e in boa_engine::vm::opcode::handle_add::hed1002efa08bf29b /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/engine/src/vm/opcode/mod.rs:313:17
    #9 0x55903d345d37 in boa_engine::vm::opcode::_$LT$impl$u20$boa_engine..context..Context$GT$::execute_bytecode_instruction::hce1e6efd2c16072f /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/engine/src/vm/opcode/mod.rs:464:9
    #10 0x55903d345d37 in core::ops::function::FnOnce::call_once::h5ea5e748f569aadf /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:253:5
    #11 0x55903d345d37 in boa_engine::vm::_$LT$impl$u20$boa_engine..context..Context$GT$::execute_instruction::haddf99d1c1206bf2 /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/engine/src/vm/mod.rs:649:9
    #12 0x55903d345d37 in boa_engine::vm::_$LT$impl$u20$boa_engine..context..Context$GT$::execute_one::ha1d53888248f9150 /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/engine/src/vm/mod.rs:674:14
    #13 0x55903d345d37 in boa_engine::vm::_$LT$impl$u20$boa_engine..context..Context$GT$::run::h4e47dbdde018d3f6 /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/engine/src/vm/mod.rs:858:24
    #14 0x55903cf41004 in boa_engine::script::Script::evaluate::hea8a5fe7bf81172d /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/engine/src/script.rs:172:30
    #15 0x55903c908b42 in boa_engine::context::Context::eval::hcc071e387c4fbc63 /home/runner/.cargo/git/checkouts/boa-126d820dff07bf57/1726e44/core/engine/src/context/mod.rs:202:41
    #16 0x55903c89afd4 in boa::check_file::h6880316adcb6aa65 /home/runner/work/Automated-Fuzzer/Automated-Fuzzer/src/crates/boa/src/main.rs:33:27
    #17 0x55903c89c9ba in boa::main::ha13b41bbb78faa1d /home/runner/work/Automated-Fuzzer/Automated-Fuzzer/src/crates/boa/src/main.rs:22:9
    #18 0x55903ca4bf82 in core::ops::function::FnOnce::call_once::hc44f3f165fb9d0ff /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:253:5
    #19 0x55903ca4bf82 in std::sys::backtrace::__rust_begin_short_backtrace::hded07af034cccb88 /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/backtrace.rs:158:18
    #20 0x55903c974f8b in std::rt::lang_start::hf25c25fd38489395 /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:205:5
    #21 0x7fa9df02a1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)
    #22 0x7fa9df02a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)
    #23 0x55903c7bc234 in _start (/home/runner/.cargo/bin/boa+0x676234) (BuildId: b3ffb55685f1a3865860687406323718d3c544b5)

==107372==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory /home/runner/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/alloc.rs:95:9 in alloc::alloc::alloc::h49adb0d3ebd4ece6
``

[compressed.zip](https://github.com/user-attachments/files/22176898/compressed.zip)

Metadata

Metadata

Assignees

No one assigned

    Labels

    C-VMIssues and PRs related to the Boa Virtual Machine.

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions