From 645d786c5bcdd0378a8bc2db7d0e8c7b909f8e17 Mon Sep 17 00:00:00 2001
From: "crowder@fiverocks.com" <crowder@fiverocks.com>
Date: Fri, 13 Apr 2007 17:27:12 -0700
Subject: [PATCH] Bug 375642: another regexp that makes JS allocate > 1GB and
 hand, r=mrbkap

---
 js/src/jsregexp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/js/src/jsregexp.c b/js/src/jsregexp.c
index da87c8b3ae51..ae27be3537ae 100644
--- a/js/src/jsregexp.c
+++ b/js/src/jsregexp.c
@@ -2869,6 +2869,8 @@ ExecuteREBytecode(REGlobalData *gData, REMatchState *x)
                 JS_ASSERT(parenIndex < gData->regexp->parenCount);
                 cap = &x->parens[parenIndex];
                 cap->length = x->cp - (gData->cpbegin + cap->index);
+                JS_ASSERT(x->cp >= (gData->cpbegin + cap->index));
+                JS_ASSERT(cap->length <= (gData->cpend - gData->cpbegin));
                 op = (REOp) *pc++;
 
                 if (!result)
@@ -3002,6 +3004,9 @@ ExecuteREBytecode(REGlobalData *gData, REMatchState *x)
               case REOP_ENDCHILD: /* marks the end of a quantifier child */
                 pc = curState[-1].continue_pc;
                 op = curState[-1].continue_op;
+
+                if (!result)
+                    result = x;
                 continue;
 
               case REOP_REPEAT: