[webkit-changes] [WebKit/WebKit] 561d0e: [JSC] UAF Yarr::YarrPatternConstructor::atomParent...

[Michael Saboff]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 561d0e5534c8c0b0d99688e43a2b5eb7f225cd85
      https://github.com/WebKit/WebKit/commit/561d0e5534c8c0b0d99688e43a2b5eb7f225cd85
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2023-01-31 (Tue, 31 Jan 2023)

  Changed paths:
    M JSTests/stress/regexp-lookbehind.js
    M Source/JavaScriptCore/yarr/YarrPattern.cpp
    M Source/JavaScriptCore/yarr/YarrPattern.h

  Log Message:
  -----------
  [JSC] UAF Yarr::YarrPatternConstructor::atomParenthesesEnd; Yarr::Parser::parseTokens; JSC::Yarr::parse
https://bugs.webkit.org/show_bug.cgi?id=251435
rdar://104652578

Reviewed by Mark Lam and Tadeu Zagallo.

When parsing a backreference for a lookbehind, it will likely appear lexically before the capture it references.
In that case, we create a forward reference term and see if we can convert it to a backreference at the end of the
lookbehind if a corresponding capture was found.  The prior code did this by saving a pointer to all such forward
references.  That pointer is a pointer into the storage for a Vector, which can be reallocated as it grows.
The fix here is to save a pointer to the alternative that contains the term and the index of the term in the alternative.
PatternAlternatives are kept alive during parsing, so it is safe to use them.

* JSTests/stress/regexp-lookbehind.js: Added new test cases.
* Source/JavaScriptCore/yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::UnresolvedForwardReference::UnresolvedForwardReference):
(JSC::Yarr::YarrPatternConstructor::UnresolvedForwardReference::term):
(JSC::Yarr::YarrPatternConstructor::atomParenthesesEnd):
(JSC::Yarr::YarrPatternConstructor::atomBackReference):
* Source/JavaScriptCore/yarr/YarrPattern.h:
(JSC::Yarr::PatternAlternative::lastTermIndex):
(JSC::Yarr::PatternAlternative::lastTerm):

Canonical link: https://commits.webkit.org/259657@main