Closed
Bug 375876
Opened 17 years ago
Closed 17 years ago
"Assertion failure: (c2 <= cs->length) && (c1 <= c2)" with /[\[-h]/i
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.9beta3
People
(Reporter: jruderman, Assigned: crowderbt)
Details
(Keywords: crash, testcase)
Attachments
(3 files, 2 obsolete files)
js> /[\[-h]/i.exec("") Assertion failure: (c2 <= cs->length) && (c1 <= c2), at jsregexp.c:2233 Security-sensitive for now because the code involved is playing with bit arrays.
Reporter | ||
Comment 1•17 years ago
|
||
WFM with this testcase. New testcase coming soon.
Reporter | ||
Comment 2•17 years ago
|
||
js> /[\d-z-x]/.exec("") Assertion failure: (c2 <= cs->length) && (c1 <= c2), at jsregexp.c:2242 I can make that a new bug and mark this one as WFM if desired.
Reporter | ||
Comment 3•17 years ago
|
||
I ran the regular expression fuzzer for over 10 hours and didn't hit anything other than this bug :)
Comment 4•17 years ago
|
||
Brian, the problem here is that CalculateBitmapSize and ProcessCharSet don't agree as to whether \d can start a character range (ain't code duplication fun?). I think the fix is to make CalculateBitmapSize follow suit, but I don't have time to try it out right now.
Reporter | ||
Updated•17 years ago
|
Flags: blocking1.9?
Assignee | ||
Comment 5•17 years ago
|
||
The equivalent for us, to what perl does, would be to accept the \d as 0-9, then read the - as a lone '-' character in the set, not the start of the range. Finally, we would throw an exception at the z-x (invalid range). crowdermac:src crowder$ perl -e 'use re 'debug'; s/[\d-z-c]/a/' Compiling REx `[\d-z-c]' Invalid [] range "z-c" in regex; marked by <-- HERE in m/[\d-z-c <-- HERE ]/ at -e line 1. crowdermac:src crowder$ perl -e 'use re 'debug'; "" =~ s/[\d-z]/a/' Compiling REx `[\d-z]' size 13 Got 108 bytes for offset annotations. first at 1 1: ANYOF[\-0-9z+utf8::IsDigit](13) 13: END(0) stclass "ANYOF[\-0-9z+utf8::IsDigit]" minlen 1 Offsets: [13] 1[6] 0[0] 0[0] 0[0] 0[0] 0[0] 0[0] 0[0] 0[0] 0[0] 0[0] 0[0] 7[0]
Comment 6•17 years ago
|
||
Marking blocking on the concern that this is a latent security issue. Please adjust if wrong...
Flags: blocking1.9? → blocking1.9+
Priority: -- → P1
Updated•17 years ago
|
Target Milestone: --- → mozilla1.9 M11
Assignee | ||
Comment 7•17 years ago
|
||
This gives us parity with what perl does.
Updated•17 years ago
|
Attachment #291941 -
Attachment is patch: true
Attachment #291941 -
Attachment mime type: application/octet-stream → text/plain
Comment 8•17 years ago
|
||
I forget, too busy to look (and my eyes would bleed anyway): what does ES3 spec say to do with such hyphens? /be
Assignee | ||
Comment 9•17 years ago
|
||
The spec seems to think [\d-z] should specify a range, and not the group \d, '-', 'z': ClassAtom:: - ClassAtomNoDash ClassAtomNoDash:: SourceCharacter (but not one of \ ] -) \ ClassEscape ClassEscape:: DecimalEscape b CharacterEscape CharacterClassEscape This, however, seems like a bug in the spec. We should not treat '\' CharacterClassEscape '-' ClassAtom as a range. I haven't worked out what the proper grammar should look like, though. This is definitely -not- what perl does. Also, our grammar seems to allow the nonsensical /[a-g-z]/ to become [/a-z/], while perl interprets it as /[-a-gz]/
Assignee | ||
Comment 10•17 years ago
|
||
Webkit seems to adhere more closely to the perl behavior here.
Comment 11•17 years ago
|
||
Comment on attachment 291941 [details] [diff] [review] Treat "-" after character-set (\w, \W, \d, \D) as '-', not part of a range >+ JSBool canStartRange = JS_TRUE; > uintN localMax = 0; ... > default: > localMax = *src++; >+ canStartRange = JS_TRUE; > break; > } To make sure I'm following correctly: this assignment isn't actually necessary, right?
Attachment #291941 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 12•17 years ago
|
||
Yes, mrbkap, that assignment in the default: case is redundant given the assignment at the top of the loop. Thanks.
Attachment #291941 -
Attachment is obsolete: true
Attachment #292534 -
Flags: review+
Assignee | ||
Updated•17 years ago
|
Keywords: checkin-needed
Comment 13•17 years ago
|
||
Comment on attachment 292534 [details] [diff] [review] removing redundant assignment While I'm not sure I disagree with this patch entirely, I'm not sure it's the right one for this bug. ;-)
Assignee | ||
Comment 14•17 years ago
|
||
Comment on attachment 292534 [details] [diff] [review] removing redundant assignment Woops, here comes the real patch shortly.
Attachment #292534 -
Flags: review+
Assignee | ||
Comment 15•17 years ago
|
||
As much as attachment 292534 [details] [diff] [review] delights me (and Blake), -this- is the right patch. For now.
Assignee | ||
Updated•17 years ago
|
Attachment #292534 -
Attachment is obsolete: true
Assignee | ||
Updated•17 years ago
|
Attachment #292535 -
Flags: review+
Assignee | ||
Comment 16•17 years ago
|
||
jsregexp.c: 3.169
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•17 years ago
|
Keywords: checkin-needed
Comment 17•17 years ago
|
||
Comment 18•17 years ago
|
||
Updated•17 years ago
|
Flags: in-testsuite+
Flags: in-litmus-
Comment 21•14 years ago
|
||
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Reporter | ||
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•