allocation size overflow when overriding regexp exec to be dumb
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox93 | --- | fixed |
People
(Reporter: bakkot, Assigned: anba)
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Steps to reproduce:
let evil = new RegExp;
evil.exec = () => ({ 0: '1234567', length: 1, index: 0 });
'abc'.replace(evil, `$'`);
or:
let evil = new RegExp;
evil.exec = () => ({ 0: 'x', length: 1, index: 3 });
'abc'.replace(evil, `$'`);
Actual results:
In both cases, this gives
Uncaught InternalError: allocation size overflow
Expected results:
In the first case, it should evaluate to the empty string. In the second, it should evaluate to the string "abc".
These exercise an extremely dumb case in the GetSubstitution abstract operation: in the $'
case in that algorithm, there is a tailPos ≥ stringLength
condition. The strict >
case there is very strange: it means that you have a match M at position P in string S such that the length of M exceeds the number of code units subsequent to P in S. Obviously this does not make sense, and indeed built-in RegExps can't do this (I am reasonably sure).
But this can be achieved by overriding the exec method on a RegExp (something we have not yet gotten rid of; see proposal-rm-builtin-subclassing for an effort in that direction), either (in the first case) by producing a match string which is longer than the input or (in the second case) by producing a nonempty match string at position past where it could have fit in the input.
Assignee | ||
Comment 1•3 years ago
|
||
This check was added in ES6 (rev14) to handle user-defined RegExps.
Without this check, there's a size_t
overflow, which resulted in creating an
invalid CheckedInt
, which then ended up throwing an allocation error.
Updated•3 years ago
|
Updated•3 years ago
|
Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/24a4fd7f85ca Handle case when the tail-position exceeds the string length in InterpretDollar. r=arai
Comment 3•3 years ago
|
||
bugherder |
Description
•