Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char...
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Sep 2017 04:48:51 +0000 (04:48 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Sep 2017 04:48:51 +0000 (04:48 +0000)
https://bugs.webkit.org/show_bug.cgi?id=177423

Reviewed by Mark Lam.

JSTests:

Updated regression test.

* stress/regress-177423.js:
(catch):

Source/JavaScriptCore:

Updated fix that restructures that changes the do ... while to a while and adds another
atEndOfPattern() check before looking for the first named group identifier character.

* yarr/YarrParser.h:
(JSC::Yarr::Parser::tryConsumeGroupName):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@222600 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regress-177423.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/yarr/YarrParser.h

index eea3389..acce999 100644 (file)
@@ -1,3 +1,15 @@
+2017-09-28  Michael Saboff  <msaboff@apple.com>
+
+        Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
+        https://bugs.webkit.org/show_bug.cgi?id=177423
+
+        Reviewed by Mark Lam.
+
+        Updated regression test.
+
+        * stress/regress-177423.js:
+        (catch):
+
 2017-09-27  Mark Lam  <mark.lam@apple.com>
 
         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
index c353338..ae64f36 100644 (file)
@@ -1 +1,14 @@
-/\k</
+// Regression test for bug 177423
+let r1 = /\k</;
+
+let didThrow = false;
+
+try {
+    let r2 = new RegExp("\\k<1>", "u");
+    didThrow = false;
+} catch(e) {
+    didThrow = true;
+}
+
+if (!didThrow)
+    throw("Trying to create a named capture reference that starts with a number should Throw");
index 50e98d9..3398d0e 100644 (file)
@@ -1,3 +1,16 @@
+2017-09-28  Michael Saboff  <msaboff@apple.com>
+
+        Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
+        https://bugs.webkit.org/show_bug.cgi?id=177423
+
+        Reviewed by Mark Lam.
+
+        Updated fix that restructures that changes the do ... while to a while and adds another
+        atEndOfPattern() check before looking for the first named group identifier character.
+
+        * yarr/YarrParser.h:
+        (JSC::Yarr::Parser::tryConsumeGroupName):
+
 2017-09-27  Mark Lam  <mark.lam@apple.com>
 
         JSArray::canFastCopy() should fail if the source and destination arrays are the same.
index 378609d..cab7bc1 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2009, 2014-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -998,20 +998,27 @@ private:
 
     std::optional<String> tryConsumeGroupName()
     {
+        if (atEndOfPattern())
+            return std::nullopt;
+
         ParseState state = saveState();
-        StringBuilder identifierBuilder;
+        
+        int ch = tryConsumeIdentifierCharacter();
 
-        while (!atEndOfPattern()) {
-            int ch = tryConsumeIdentifierCharacter();
-            if (ch == '>') {
-                if (identifierBuilder.length())
+        if (isIdentifierStart(ch)) {
+            StringBuilder identifierBuilder;
+            identifierBuilder.append(ch);
+
+            while (!atEndOfPattern()) {
+                ch = tryConsumeIdentifierCharacter();
+                if (ch == '>')
                     return std::optional<String>(identifierBuilder.toString());
-                break;
-            }
-            if (!isIdentifierPart(ch))
-                break;
 
-            identifierBuilder.append(ch);
+                if (!isIdentifierPart(ch))
+                    break;
+
+                identifierBuilder.append(ch);
+            }
         }
 
         restoreState(state);