mirror of
https://github.com/oven-sh/bun
synced 2026-02-09 10:28:47 +00:00
43c46b1f77
## Summary - Fix crash in `FormData.from()` when called with very large ArrayBuffer input - Add length check in C++ `toString` function against both Bun's synthetic limit and WebKit's `String::MaxLength` - For UTF-8 tagged strings, use simdutf to calculate actual UTF-16 length only when byte length exceeds the limit ## Root Cause When `FormData.from()` was called with a very large ArrayBuffer (e.g., `new Uint32Array(913148244)` = ~3.6GB), the code would crash with: ``` ASSERTION FAILED: data.size() <= MaxLength vendor/WebKit/Source/WTF/wtf/text/StringImpl.h(886) ``` The `toString()` function in `helpers.h` was only checking against `Bun__stringSyntheticAllocationLimit` (which defaults to ~4GB), but not against WebKit's `String::MaxLength` (INT32_MAX, ~2GB). When the input exceeded `String::MaxLength`, `createWithoutCopying()` would fail with an assertion. ## Changes 1. **helpers.h**: Added `|| str.len > WTF::String::MaxLength` checks to all three code paths in `toString()`: - UTF-8 tagged pointer path (with simdutf length calculation only when needed) - External pointer path - Non-copying creation path 2. **url.zig**: Reverted the incorrect Zig-side check (UTF-8 byte length != UTF-16 character length) ## Test plan - [x] Added test that verifies FormData.from with oversized input doesn't crash - [x] Verified original crash case now returns empty FormData instead of crashing: ```js const v3 = new Uint32Array(913148244); FormData.from(v3); // No longer crashes ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Jarred Sumner <jarred@jarredsumner.com>