[webkit-changes] [WebKit/WebKit] 9257a5: heap-use-after-free | JSC::RegExpObject::execInlin...
Michael Saboff
noreply at github.com
Wed Jul 12 14:51:30 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9257a50c70baaa8dee34f5934b4f105017bf92ab
https://github.com/WebKit/WebKit/commit/9257a50c70baaa8dee34f5934b4f105017bf92ab
Author: Michael Saboff <msaboff at apple.com>
Date: 2023-07-12 (Wed, 12 Jul 2023)
Changed paths:
M JSTests/stress/regexp-duplicate-named-captures.js
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
heap-use-after-free | JSC::RegExpObject::execInline; JSC::regExpProtoFuncExec
https://bugs.webkit.org/show_bug.cgi?id=259143
rdar://111502448
Reviewed by Yusuke Suzuki.
Fixed the saving and restoring of duplicate groups IDs for nested / counted Parens in the YARR
interpreter. We only save the number of duplicate groups needed for the current parenthesis.
We were using the duplicate groups ID, which may exceed the number of duplicate IDs we need to
save. Changed the code to save these ID using a counted index instead of their actual value.
Added an ASSERT in backupOffsetForDuplicateNamedGroup() where we calculate the offset in the
saved context buffer.
Added a new regression test case.
* JSTests/stress/regexp-duplicate-named-captures.js:
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
(JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::restoreOutput):
(JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::backupOffsetForDuplicateNamedGroup):
Canonical link: https://commits.webkit.org/266009@main
More information about the webkit-changes
mailing list