fix(FormData): throw error instead of crashing on very large input

When `FormData.from()` is called with a very large ArrayBuffer (exceeding
WebKit's String::MaxLength of INT32_MAX), it would crash with an assertion
failure in WebKit's StringImpl. This fixes the issue by:

1. Adding a length check in the C++ `toString` function (helpers.h) for
   UTF8-tagged strings to check against both Bun's synthetic limit and
   WebKit's String::MaxLength before attempting to create the string.

2. Adding a length check in the Zig `FormData.toJS` function to throw a
   proper error message before attempting to create the string.

Now `FormData.from(new Uint32Array(913148244))` throws a proper JavaScript
error instead of crashing.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: Claude Bot

src/bun.js/bindings/helpers.h

@@ -79,6 +79,11 @@ static const WTF::String toString(ZigString str)
     }
     if (isTaggedUTF8Ptr(str.ptr)) [[unlikely]] {
         ASSERT_WITH_MESSAGE(!isTaggedExternalPtr(str.ptr), "UTF8 and external ptr are mutually exclusive. The external will never be freed.");
+        // This will fail if the string is too long. Let's make it explicit instead of an ASSERT.
+        // Check both the Bun synthetic limit and WebKit's String::MaxLength.
+        if (str.len > Bun__stringSyntheticAllocationLimit || str.len > WTF::String::MaxLength) [[unlikely]] {
+            return {};
+        }
         return WTF::String::fromUTF8ReplacingInvalidSequences(std::span { untag(str.ptr), str.len });
     }
 

src/url.zig

@@ -983,7 +983,12 @@ pub const FormData = struct {
     pub fn toJS(globalThis: *jsc.JSGlobalObject, input: []const u8, encoding: Encoding) !jsc.JSValue {
         switch (encoding) {
             .URLEncoded => {
-                var str = jsc.ZigString.fromUTF8(strings.withoutUTF8BOM(input));
+                const data = strings.withoutUTF8BOM(input);
+                // Check against both Bun's synthetic limit and WebKit's String::MaxLength (INT32_MAX)
+                if (data.len > bun.String.max_length() or data.len > std.math.maxInt(i32)) {
+                    return error.@"Cannot create a string longer than 2^32-1 characters";
+                }
+                var str = jsc.ZigString.fromUTF8(data);
                 return jsc.DOMFormData.createFromURLQuery(globalThis, &str);
             },
             .Multipart => |boundary| return toJSFromMultipartData(globalThis, input, boundary),

test/js/web/html/FormData.test.ts

@@ -277,6 +277,21 @@ describe("FormData", () => {
     expect(fd.toJSON()).toEqual({ "1": "1" });
   });
 
+  test("FormData.from throws on very large input instead of crashing", () => {
+    const { setSyntheticAllocationLimitForTesting } = require("bun:internal-for-testing");
+    const originalLimit = setSyntheticAllocationLimitForTesting(1024 * 1024); // 1MB limit
+    try {
+      // Create a buffer larger than the limit
+      const largeBuffer = new Uint8Array(2 * 1024 * 1024); // 2MB
+      // @ts-expect-error
+      expect(() => FormData.from(largeBuffer)).toThrow(
+        "Cannot create a string longer than 2^32-1 characters while parsing FormData",
+      );
+    } finally {
+      setSyntheticAllocationLimitForTesting(originalLimit);
+    }
+  });
+
   it("should throw on bad boundary", async () => {
     const response = new Response('foo\r\nContent-Disposition: form-data; name="foo"\r\n\r\nbar\r\n', {
       headers: {