[Webkit-unassigned] [Bug 187042] RegExp.exec returns wrong value with a long integer quantifier
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Jul 1 07:57:24 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=187042
Mark Lam <mark.lam at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #344045|review? |review-
Flags| |
--- Comment #3 from Mark Lam <mark.lam at apple.com> ---
Comment on attachment 344045
--> https://bugs.webkit.org/attachment.cgi?id=344045
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=344045&action=review
r- because a JSC test is failing. Please investigate as to why it's failing.
> Source/JavaScriptCore/yarr/YarrParser.h:990
> - // check for overflow.
> - for (unsigned newValue; peekIsDigit() && ((newValue = n * 10 + peekDigit()) >= n); ) {
> - n = newValue;
> + while (peekIsDigit()) {
> + unsigned nextDigit = peekDigit();
> + if (n > (UINT_MAX - nextDigit) / 10) {
> + // Overflow. Skip past remaining decimal digits and return UINT_MAX.
> + do {
> + consume();
> + } while (peekIsDigit());
> + return UINT_MAX;
> + }
> + n = n * 10 + nextDigit;
> consume();
> }
> return n;
Please look into using Checked<unsigned, RecordOverflow> (grep for other places where this is used to see how it's used). You should use that here instead. It will simplify this code tremendously.
Also, to be consistent with the rest of Yarr code, you should return quantifyInfinite here instead of UINT_MAX directly.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180701/15b99936/attachment.html>
More information about the webkit-unassigned
mailing list