[webkit-changes] [WebKit/WebKit] 698c6e: [JSC] RegExpGlobalData::performMatch issue leading...
Michael Saboff
noreply at github.com
Mon May 22 13:41:37 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 698c6e293734c3c46f223b77d5b4ee48b320e32c
https://github.com/WebKit/WebKit/commit/698c6e293734c3c46f223b77d5b4ee48b320e32c
Author: Michael Saboff <msaboff at apple.com>
Date: 2023-05-22 (Mon, 22 May 2023)
Changed paths:
A JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
M Source/JavaScriptCore/runtime/StringPrototype.cpp
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
[JSC] RegExpGlobalData::performMatch issue leading to OOB read
https://bugs.webkit.org/show_bug.cgi?id=254930
rdar://107436732
Reviewed by Alexey Shvayka.
Fixed two issues:
1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
characters. Since it is an assertion, we shouldn't advance the character position.
Made the same fix to matchAssertionEOL().
2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
a non-BMP character for the case where the RegExp match is empty.
* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
(JSC::Yarr::Interpreter::matchAssertionBOL):
(JSC::Yarr::Interpreter::matchAssertionEOL):
Originally-landed-as: 259548.551 at safari-7615-branch (e34edaa74575). rdar://107436732
Canonical link: https://commits.webkit.org/264365@main
More information about the webkit-changes
mailing list