fix(FormData): prevent crash on very large input

When `FormData.from()` is called with a very large ArrayBuffer (exceeding
WebKit's String::MaxLength of INT32_MAX), it would crash with an assertion
failure in WebKit's StringImpl. This fixes the issue by adding length checks
in the C++ `toString` and related functions (helpers.h) to check against both
Bun's synthetic limit and WebKit's String::MaxLength.

For UTF-8 tagged strings, we use simdutf to calculate the actual UTF-16 length
only when the byte length exceeds the limit, since UTF-16 length is at most
equal to UTF-8 byte length.

Changes:
- Add length checks to all UTF-8 code paths in helpers.h:
  - toString(ZigString)
  - toString(ZigString, StringPointer)
  - toStringCopy(ZigString)
  - toStringCopy(ZigString, StringPointer)
  - appendToBuilder(ZigString, StringBuilder)
- Add WTF::String::MaxLength check to non-UTF-8 paths

Now `FormData.from(new Uint32Array(913148244))` returns an empty FormData
instead of crashing with an assertion failure.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: Claude Bot

src/bun.js/bindings/helpers.h

@@ -2,6 +2,7 @@
 
 #include "root.h"
 #include "wtf/text/ASCIILiteral.h"
+#include "wtf/SIMDUTF.h"
 
 #include <JavaScriptCore/Error.h>
 #include <JavaScriptCore/Exception.h>
@@ -79,12 +80,22 @@ static const WTF::String toString(ZigString str)
     }
     if (isTaggedUTF8Ptr(str.ptr)) [[unlikely]] {
         ASSERT_WITH_MESSAGE(!isTaggedExternalPtr(str.ptr), "UTF8 and external ptr are mutually exclusive. The external will never be freed.");
+        // Check if the resulting UTF-16 string could possibly exceed the maximum length.
+        // UTF-16 length is at most equal to UTF-8 byte length, so only check when byte length exceeds limit.
+        size_t maxLength = std::min(Bun__stringSyntheticAllocationLimit, static_cast<size_t>(WTF::String::MaxLength));
+        if (str.len > maxLength) [[unlikely]] {
+            // UTF-8 byte length != UTF-16 length, so use simdutf to calculate the actual UTF-16 length.
+            size_t utf16Length = simdutf::utf16_length_from_utf8(reinterpret_cast<const char*>(untag(str.ptr)), str.len);
+            if (utf16Length > maxLength) {
+                return {};
+            }
+        }
         return WTF::String::fromUTF8ReplacingInvalidSequences(std::span { untag(str.ptr), str.len });
     }
 
     if (isTaggedExternalPtr(str.ptr)) [[unlikely]] {
         // This will fail if the string is too long. Let's make it explicit instead of an ASSERT.
-        if (str.len > Bun__stringSyntheticAllocationLimit) [[unlikely]] {
+        if (str.len > Bun__stringSyntheticAllocationLimit || str.len > WTF::String::MaxLength) [[unlikely]] {
             free_global_string(nullptr, reinterpret_cast<void*>(const_cast<unsigned char*>(untag(str.ptr))), static_cast<unsigned>(str.len));
             return {};
         }
@@ -95,7 +106,7 @@ static const WTF::String toString(ZigString str)
     }
 
     // This will fail if the string is too long. Let's make it explicit instead of an ASSERT.
-    if (str.len > Bun__stringSyntheticAllocationLimit) [[unlikely]] {
+    if (str.len > Bun__stringSyntheticAllocationLimit || str.len > WTF::String::MaxLength) [[unlikely]] {
         return {};
     }
 
@@ -121,11 +132,19 @@ static const WTF::String toString(ZigString str, StringPointer ptr)
         return WTF::String();
     }
     if (isTaggedUTF8Ptr(str.ptr)) [[unlikely]] {
+        // Check if the resulting UTF-16 string could possibly exceed the maximum length.
+        size_t maxLength = std::min(Bun__stringSyntheticAllocationLimit, static_cast<size_t>(WTF::String::MaxLength));
+        if (ptr.len > maxLength) [[unlikely]] {
+            size_t utf16Length = simdutf::utf16_length_from_utf8(reinterpret_cast<const char*>(&untag(str.ptr)[ptr.off]), ptr.len);
+            if (utf16Length > maxLength) {
+                return {};
+            }
+        }
         return WTF::String::fromUTF8ReplacingInvalidSequences(std::span { &untag(str.ptr)[ptr.off], ptr.len });
     }
 
     // This will fail if the string is too long. Let's make it explicit instead of an ASSERT.
-    if (str.len > Bun__stringSyntheticAllocationLimit) [[unlikely]] {
+    if (ptr.len > Bun__stringSyntheticAllocationLimit || ptr.len > WTF::String::MaxLength) [[unlikely]] {
         return {};
     }
 
@@ -141,11 +160,19 @@ static const WTF::String toStringCopy(ZigString str, StringPointer ptr)
         return WTF::String();
     }
     if (isTaggedUTF8Ptr(str.ptr)) [[unlikely]] {
+        // Check if the resulting UTF-16 string could possibly exceed the maximum length.
+        size_t maxLength = std::min(Bun__stringSyntheticAllocationLimit, static_cast<size_t>(WTF::String::MaxLength));
+        if (ptr.len > maxLength) [[unlikely]] {
+            size_t utf16Length = simdutf::utf16_length_from_utf8(reinterpret_cast<const char*>(&untag(str.ptr)[ptr.off]), ptr.len);
+            if (utf16Length > maxLength) {
+                return {};
+            }
+        }
         return WTF::String::fromUTF8ReplacingInvalidSequences(std::span { &untag(str.ptr)[ptr.off], ptr.len });
     }
 
     // This will fail if the string is too long. Let's make it explicit instead of an ASSERT.
-    if (str.len > Bun__stringSyntheticAllocationLimit) [[unlikely]] {
+    if (ptr.len > Bun__stringSyntheticAllocationLimit || ptr.len > WTF::String::MaxLength) [[unlikely]] {
         return {};
     }
 
@@ -161,6 +188,14 @@ static const WTF::String toStringCopy(ZigString str)
         return WTF::String();
     }
     if (isTaggedUTF8Ptr(str.ptr)) [[unlikely]] {
+        // Check if the resulting UTF-16 string could possibly exceed the maximum length.
+        size_t maxLength = std::min(Bun__stringSyntheticAllocationLimit, static_cast<size_t>(WTF::String::MaxLength));
+        if (str.len > maxLength) [[unlikely]] {
+            size_t utf16Length = simdutf::utf16_length_from_utf8(reinterpret_cast<const char*>(untag(str.ptr)), str.len);
+            if (utf16Length > maxLength) {
+                return {};
+            }
+        }
         return WTF::String::fromUTF8ReplacingInvalidSequences(std::span { untag(str.ptr), str.len });
     }
 
@@ -188,6 +223,14 @@ static void appendToBuilder(ZigString str, WTF::StringBuilder& builder)
         return;
     }
     if (isTaggedUTF8Ptr(str.ptr)) [[unlikely]] {
+        // Check if the resulting UTF-16 string could possibly exceed the maximum length.
+        size_t maxLength = std::min(Bun__stringSyntheticAllocationLimit, static_cast<size_t>(WTF::String::MaxLength));
+        if (str.len > maxLength) [[unlikely]] {
+            size_t utf16Length = simdutf::utf16_length_from_utf8(reinterpret_cast<const char*>(untag(str.ptr)), str.len);
+            if (utf16Length > maxLength) {
+                return;
+            }
+        }
         WTF::String converted = WTF::String::fromUTF8ReplacingInvalidSequences(std::span { untag(str.ptr), str.len });
         builder.append(converted);
         return;

test/js/web/html/FormData.test.ts

@@ -277,6 +277,27 @@ describe("FormData", () => {
     expect(fd.toJSON()).toEqual({ "1": "1" });
   });
 
+  test("FormData.from does not crash on very large input", () => {
+    // This test verifies that FormData.from doesn't crash with an assertion failure
+    // when given input larger than WebKit's String::MaxLength (INT32_MAX ~= 2GB).
+    // We use a smaller test case with the synthetic limit to avoid actually allocating 2GB+.
+    const { setSyntheticAllocationLimitForTesting } = require("bun:internal-for-testing");
+    // Set a small limit so we can test the boundary without allocating gigabytes
+    const originalLimit = setSyntheticAllocationLimitForTesting(1024 * 1024); // 1MB limit
+    try {
+      // Create a buffer larger than the limit
+      const largeBuffer = new Uint8Array(2 * 1024 * 1024); // 2MB
+      // @ts-expect-error - FormData.from is a Bun extension
+      const result = FormData.from(largeBuffer);
+      // Should return an empty FormData instead of crashing
+      expect(result).toBeInstanceOf(FormData);
+      // Verify the FormData is empty (string was too long to parse)
+      expect(Array.from(result.entries())).toHaveLength(0);
+    } finally {
+      setSyntheticAllocationLimitForTesting(originalLimit);
+    }
+  });
+
   it("should throw on bad boundary", async () => {
     const response = new Response('foo\r\nContent-Disposition: form-data; name="foo"\r\n\r\nbar\r\n', {
       headers: {