Title: [222600] trunk
- Revision
- 222600
- Author
- msab...@apple.com
- Date
- 2017-09-27 21:48:51 -0700 (Wed, 27 Sep 2017)
Log Message
Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
https://bugs.webkit.org/show_bug.cgi?id=177423
Reviewed by Mark Lam.
JSTests:
Updated regression test.
* stress/regress-177423.js:
(catch):
Source/_javascript_Core:
Updated fix that restructures that changes the do ... while to a while and adds another
atEndOfPattern() check before looking for the first named group identifier character.
* yarr/YarrParser.h:
(JSC::Yarr::Parser::tryConsumeGroupName):
Modified Paths
Diff
Modified: trunk/JSTests/ChangeLog (222599 => 222600)
--- trunk/JSTests/ChangeLog 2017-09-28 04:20:05 UTC (rev 222599)
+++ trunk/JSTests/ChangeLog 2017-09-28 04:48:51 UTC (rev 222600)
@@ -1,3 +1,15 @@
+2017-09-28 Michael Saboff <msab...@apple.com>
+
+ Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
+ https://bugs.webkit.org/show_bug.cgi?id=177423
+
+ Reviewed by Mark Lam.
+
+ Updated regression test.
+
+ * stress/regress-177423.js:
+ (catch):
+
2017-09-27 Mark Lam <mark....@apple.com>
JSArray::canFastCopy() should fail if the source and destination arrays are the same.
Modified: trunk/JSTests/stress/regress-177423.js (222599 => 222600)
--- trunk/JSTests/stress/regress-177423.js 2017-09-28 04:20:05 UTC (rev 222599)
+++ trunk/JSTests/stress/regress-177423.js 2017-09-28 04:48:51 UTC (rev 222600)
@@ -1 +1,14 @@
-/\k</
+// Regression test for bug 177423
+let r1 = /\k</;
+
+let didThrow = false;
+
+try {
+ let r2 = new RegExp("\\k<1>", "u");
+ didThrow = false;
+} catch(e) {
+ didThrow = true;
+}
+
+if (!didThrow)
+ throw("Trying to create a named capture reference that starts with a number should Throw");
Modified: trunk/Source/_javascript_Core/ChangeLog (222599 => 222600)
--- trunk/Source/_javascript_Core/ChangeLog 2017-09-28 04:20:05 UTC (rev 222599)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-09-28 04:48:51 UTC (rev 222600)
@@ -1,3 +1,16 @@
+2017-09-28 Michael Saboff <msab...@apple.com>
+
+ Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek()
+ https://bugs.webkit.org/show_bug.cgi?id=177423
+
+ Reviewed by Mark Lam.
+
+ Updated fix that restructures that changes the do ... while to a while and adds another
+ atEndOfPattern() check before looking for the first named group identifier character.
+
+ * yarr/YarrParser.h:
+ (JSC::Yarr::Parser::tryConsumeGroupName):
+
2017-09-27 Mark Lam <mark....@apple.com>
JSArray::canFastCopy() should fail if the source and destination arrays are the same.
Modified: trunk/Source/_javascript_Core/yarr/YarrParser.h (222599 => 222600)
--- trunk/Source/_javascript_Core/yarr/YarrParser.h 2017-09-28 04:20:05 UTC (rev 222599)
+++ trunk/Source/_javascript_Core/yarr/YarrParser.h 2017-09-28 04:48:51 UTC (rev 222600)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2009, 2014-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -998,20 +998,27 @@
std::optional<String> tryConsumeGroupName()
{
+ if (atEndOfPattern())
+ return std::nullopt;
+
ParseState state = saveState();
- StringBuilder identifierBuilder;
+
+ int ch = tryConsumeIdentifierCharacter();
- while (!atEndOfPattern()) {
- int ch = tryConsumeIdentifierCharacter();
- if (ch == '>') {
- if (identifierBuilder.length())
+ if (isIdentifierStart(ch)) {
+ StringBuilder identifierBuilder;
+ identifierBuilder.append(ch);
+
+ while (!atEndOfPattern()) {
+ ch = tryConsumeIdentifierCharacter();
+ if (ch == '>')
return std::optional<String>(identifierBuilder.toString());
- break;
+
+ if (!isIdentifierPart(ch))
+ break;
+
+ identifierBuilder.append(ch);
}
- if (!isIdentifierPart(ch))
- break;
-
- identifierBuilder.append(ch);
}
restoreState(state);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
