Closed Bug 1724618 Opened 3 years ago Closed 3 years ago

allocation size overflow when overriding regexp exec to be dumb

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Version:
Firefox 90
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
93 Branch
Tracking Flags:
Tracking Status
firefox93 --- fixed

People

(Reporter: bakkot, Assigned: anba)

Details

Attachments

(1 file)

Bug 1724618: Handle case when the tail-position exceeds the string length in InterpretDollar. r=arai!
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36

Steps to reproduce:

let evil = new RegExp;
evil.exec = () => ({ 0: '1234567', length: 1, index: 0 });
'abc'.replace(evil, `$'`);

or:

let evil = new RegExp;
evil.exec = () => ({ 0: 'x', length: 1, index: 3 });
'abc'.replace(evil, `$'`);

Actual results:

In both cases, this gives
Uncaught InternalError: allocation size overflow

Expected results:

In the first case, it should evaluate to the empty string. In the second, it should evaluate to the string "abc".

These exercise an extremely dumb case in the GetSubstitution abstract operation: in the $' case in that algorithm, there is a tailPos ≥ stringLength condition. The strict > case there is very strange: it means that you have a match M at position P in string S such that the length of M exceeds the number of code units subsequent to P in S. Obviously this does not make sense, and indeed built-in RegExps can't do this (I am reasonably sure).

But this can be achieved by overriding the exec method on a RegExp (something we have not yet gotten rid of; see proposal-rm-builtin-subclassing for an effort in that direction), either (in the first case) by producing a match string which is longer than the input or (in the second case) by producing a nonempty match string at position past where it could have fit in the input.

This check was added in ES6 (rev14) to handle user-defined RegExps.

Without this check, there's a size_t overflow, which resulted in creating an
invalid CheckedInt, which then ended up throwing an allocation error.

Assignee: nobody → andrebargull
Severity: -- → S4
Priority: -- → P1
Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/24a4fd7f85ca
Handle case when the tail-position exceeds the string length in InterpretDollar. r=arai

https://hg.mozilla.org/mozilla-central/rev/24a4fd7f85ca

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
status-firefox93: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: