mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-16 23:05:42 +00:00
Bug 1724618
: Handle case when the tail-position exceeds the string length in InterpretDollar. r=arai
This check was added in ES6 (rev14) to handle user-defined RegExps. Without this check, there's a `size_t` overflow, which resulted in creating an invalid `CheckedInt`, which then ended up throwing an allocation error. Differential Revision: https://phabricator.services.mozilla.com/D122075
This commit is contained in:
parent
7480ba8cb5
commit
9486d5b96f
@ -1377,8 +1377,8 @@ static bool InterpretDollar(JSLinearString* matched, JSLinearString* string,
|
||||
return false;
|
||||
}
|
||||
|
||||
// ES 2021 Table 52
|
||||
// https://tc39.es/ecma262/#table-45 (sic)
|
||||
// ES 2021 Table 57: Replacement Text Symbol Substitutions
|
||||
// https://tc39.es/ecma262/#table-replacement-text-symbol-substitutions
|
||||
char16_t c = currentDollar[1];
|
||||
if (IsAsciiDigit(c)) {
|
||||
/* $n, $nn */
|
||||
@ -1465,7 +1465,11 @@ static bool InterpretDollar(JSLinearString* matched, JSLinearString* string,
|
||||
out->init(string, 0, position);
|
||||
break;
|
||||
case '\'':
|
||||
out->init(string, tailPos, string->length() - tailPos);
|
||||
if (tailPos >= string->length()) {
|
||||
out->initEmpty(matched);
|
||||
} else {
|
||||
out->init(string, tailPos, string->length() - tailPos);
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -0,0 +1,61 @@
|
||||
let evil = new RegExp();
|
||||
|
||||
// https://tc39.es/ecma262/#sec-getsubstitution
|
||||
|
||||
// Input: position = 0
|
||||
// Step 2: matchLength = 7
|
||||
// Step 4: stringLength = 3
|
||||
// Step 8: tailPos = position + matchLength = 7
|
||||
//
|
||||
// tailPos ≥ stringLength, so $' is replaced with the empty string.
|
||||
|
||||
evil.exec = () => ({ 0: "1234567", length: 1, index: 0 });
|
||||
assertEq("abc".replace(evil, "$'"), "");
|
||||
|
||||
|
||||
// Input: position = 3
|
||||
// Step 2: matchLength = 1
|
||||
// Step 4: stringLength = 3
|
||||
// Step 8: tailPos = position + matchLength = 4
|
||||
//
|
||||
// tailPos ≥ stringLength, so $' is replaced with the empty string.
|
||||
|
||||
evil.exec = () => ({ 0: "x", length: 1, index: 3 });
|
||||
assertEq("abc".replace(evil, "$'"), "abc");
|
||||
|
||||
|
||||
// Input: position = 2
|
||||
// Step 2: matchLength = 1
|
||||
// Step 4: stringLength = 3
|
||||
// Step 8: tailPos = position + matchLength = 3
|
||||
//
|
||||
// tailPos ≥ stringLength, so $' is replaced with the empty string.
|
||||
|
||||
evil.exec = () => ({ 0: "x", length: 1, index: 2 });
|
||||
assertEq("abc".replace(evil, "$'"), "ab");
|
||||
|
||||
|
||||
// Input: position = 2
|
||||
// Step 2: matchLength = 1
|
||||
// Step 4: stringLength = 4
|
||||
// Step 8: tailPos = position + matchLength = 3
|
||||
//
|
||||
// tailPos < stringLength, so $' is replaced with |"abcd".sustring(tailPos)| = "d".
|
||||
|
||||
evil.exec = () => ({ 0: "x", length: 1, index: 2 });
|
||||
assertEq("abcd".replace(evil, "$'"), "abdd");
|
||||
|
||||
|
||||
// Input: position = 2
|
||||
// Step 2: matchLength = 1
|
||||
// Step 4: stringLength = 5
|
||||
// Step 8: tailPos = position + matchLength = 3
|
||||
//
|
||||
// tailPos < stringLength, so $' is replaced with |"abcd".sustring(tailPos)| = "de".
|
||||
|
||||
evil.exec = () => ({ 0: "x", length: 1, index: 2 });
|
||||
assertEq("abcde".replace(evil, "$'"), "abdede");
|
||||
|
||||
|
||||
if (typeof reportCompare === "function")
|
||||
reportCompare(0, 0);
|
Loading…
Reference in New Issue
Block a user