[Webkit-unassigned] [Bug 187042] RegExp.exec returns wrong value with a long integer quantifier

Sun Jul 1 07:57:24 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=187042

Mark Lam <mark.lam at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #344045|review?                     |review-
              Flags|                            |

--- Comment #3 from Mark Lam <mark.lam at apple.com> ---
Comment on attachment 344045
  --> https://bugs.webkit.org/attachment.cgi?id=344045
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=344045&action=review

r- because a JSC test is failing.  Please investigate as to why it's failing.

> Source/JavaScriptCore/yarr/YarrParser.h:990
> -        // check for overflow.
> -        for (unsigned newValue; peekIsDigit() && ((newValue = n * 10 + peekDigit()) >= n); ) {
> -            n = newValue;
> +        while (peekIsDigit()) {
> +            unsigned nextDigit = peekDigit();
> +            if (n > (UINT_MAX - nextDigit) / 10) {
> +                // Overflow. Skip past remaining decimal digits and return UINT_MAX.
> +                do {
> +                    consume();
> +                } while (peekIsDigit());
> +                return UINT_MAX;
> +            }
> +            n = n * 10 + nextDigit;
>              consume();
>          }
>          return n;

Please look into using Checked<unsigned, RecordOverflow> (grep for other places where this is used to see how it's used).  You should use that here instead.  It will simplify this code tremendously.
Also, to be consistent with the rest of Yarr code, you should return quantifyInfinite here instead of UINT_MAX directly.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180701/15b99936/attachment.html>