Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-16 23:05:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1724618: Handle case when the tail-position exceeds the string length in InterpretDollar. r=arai

Browse Source 
This check was added in ES6 (rev14) to handle user-defined RegExps.

Without this check, there's a `size_t` overflow, which resulted in creating an
invalid `CheckedInt`, which then ended up throwing an allocation error.

Differential Revision: https://phabricator.services.mozilla.com/D122075
This commit is contained in:
André Bargull 2021-08-09 12:05:19 +00:00
parent 7480ba8cb5
commit 9486d5b96f
2 changed files with 68 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
js/src/builtin/RegExp.cpp
View File

@ -1377,8 +1377,8 @@ static bool InterpretDollar(JSLinearString* matched, JSLinearString* string,
return false;
}
// ES 2021 Table 52
// https://tc39.es/ecma262/#table-45 (sic)
// ES 2021 Table 57: Replacement Text Symbol Substitutions
// https://tc39.es/ecma262/#table-replacement-text-symbol-substitutions
char16_t c = currentDollar[1];
if (IsAsciiDigit(c)) {
/* $n, $nn */
@ -1465,7 +1465,11 @@ static bool InterpretDollar(JSLinearString* matched, JSLinearString* string,
out->init(string, 0, position);
break;
case '\'':
out->init(string, tailPos, string->length() - tailPos);
if (tailPos >= string->length()) {
out->initEmpty(matched);
} else {
out->init(string, tailPos, string->length() - tailPos);
}
break;
}

61
js/src/tests/non262/String/replace-bad-dollar-single-quote.js Normal file
View File

@ -0,0 +1,61 @@
let evil = new RegExp();
// https://tc39.es/ecma262/#sec-getsubstitution
// Input: position = 0
// Step 2: matchLength = 7
// Step 4: stringLength = 3
// Step 8: tailPos = position + matchLength = 7
//
// tailPos ≥ stringLength, so $' is replaced with the empty string.
evil.exec = () => ({ 0: "1234567", length: 1, index: 0 });
assertEq("abc".replace(evil, "$'"), "");
// Input: position = 3
// Step 2: matchLength = 1
// Step 4: stringLength = 3
// Step 8: tailPos = position + matchLength = 4
//
// tailPos ≥ stringLength, so $' is replaced with the empty string.
evil.exec = () => ({ 0: "x", length: 1, index: 3 });
assertEq("abc".replace(evil, "$'"), "abc");
// Input: position = 2
// Step 2: matchLength = 1
// Step 4: stringLength = 3
// Step 8: tailPos = position + matchLength = 3
//
// tailPos ≥ stringLength, so $' is replaced with the empty string.
evil.exec = () => ({ 0: "x", length: 1, index: 2 });
assertEq("abc".replace(evil, "$'"), "ab");
// Input: position = 2
// Step 2: matchLength = 1
// Step 4: stringLength = 4
// Step 8: tailPos = position + matchLength = 3
//
// tailPos < stringLength, so $' is replaced with |"abcd".sustring(tailPos)| = "d".
evil.exec = () => ({ 0: "x", length: 1, index: 2 });
assertEq("abcd".replace(evil, "$'"), "abdd");
// Input: position = 2
// Step 2: matchLength = 1
// Step 4: stringLength = 5
// Step 8: tailPos = position + matchLength = 3
//
// tailPos < stringLength, so $' is replaced with |"abcd".sustring(tailPos)| = "de".
evil.exec = () => ({ 0: "x", length: 1, index: 2 });
assertEq("abcde".replace(evil, "$'"), "abdede");
if (typeof reportCompare === "function")
reportCompare(0, 0);