Changeset 31388
- Timestamp:
- 2008-03-27 23:41:17 (5 months ago)
- Location:
- trunk
- Files:
-
- 5 modified
-
JavaScriptCore/ChangeLog (modified) (1 diff)
-
JavaScriptCore/pcre/pcre_compile.cpp (modified) (4 diffs)
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/fast/js/regexp-overflow-expected.txt (modified) (1 diff)
-
LayoutTests/fast/js/resources/regexp-overflow.js (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JavaScriptCore/ChangeLog
r31353 r31388 1 2008-03-27 Darin Adler <darin@apple.com> 2 3 Reviewed by Mark Rowe. 4 5 <rdar://problem/5826236> Regular expressions with large nested repetition counts can have their 6 compiled length calculated incorrectly. 7 8 * pcre/pcre_compile.cpp: 9 (multiplyWithOverflowCheck): 10 (calculateCompiledPatternLength): Check for overflow when dealing with nested repetition counts 11 and bail with an error rather than returning incorrect results. 12 1 13 2008-03-26 Mark Rowe <mrowe@apple.com> 2 14 -
trunk/JavaScriptCore/pcre/pcre_compile.cpp
r29110 r31388 1986 1986 } 1987 1987 1988 static inline int multiplyWithOverflowCheck(int a, int b) 1989 { 1990 if (!a || !b) 1991 return 0; 1992 if (a > MAX_PATTERN_SIZE / b) 1993 return -1; 1994 return a * b; 1995 } 1996 1988 1997 static int calculateCompiledPatternLength(const UChar* pattern, int patternLength, JSRegExpIgnoreCaseOption ignoreCase, 1989 1998 CompileData& cd, ErrorCode& errorcode) … … 1992 2001 amount of store required to hold the compiled code. This does not have to be 1993 2002 perfect as long as errors are overestimates. */ 1994 2003 2004 if (patternLength > MAX_PATTERN_SIZE) { 2005 errorcode = ERR16; 2006 return -1; 2007 } 2008 1995 2009 int length = 1 + LINK_SIZE; /* For initial BRA plus length */ 1996 2010 int branch_extra = 0; … … 2414 2428 bracket set. */ 2415 2429 2430 int repeatsLength; 2416 2431 if (minRepeats == 0) { 2417 2432 length++; 2418 if (maxRepeats > 0) length += (maxRepeats - 1) * (duplength + 3 + 2 * LINK_SIZE); 2433 if (maxRepeats > 0) { 2434 repeatsLength = multiplyWithOverflowCheck(maxRepeats - 1, duplength + 3 + 2 * LINK_SIZE); 2435 if (repeatsLength < 0) { 2436 errorcode = ERR16; 2437 return -1; 2438 } 2439 length += repeatsLength; 2440 if (length > MAX_PATTERN_SIZE) { 2441 errorcode = ERR16; 2442 return -1; 2443 } 2444 } 2419 2445 } 2420 2446 … … 2426 2452 2427 2453 else { 2428 length += (minRepeats - 1) * duplength; 2429 if (maxRepeats > minRepeats) /* Need this test as maxRepeats=-1 means no limit */ 2430 length += (maxRepeats - minRepeats) * (duplength + 3 + 2 * LINK_SIZE) 2431 - (2 + 2 * LINK_SIZE); 2454 repeatsLength = multiplyWithOverflowCheck(minRepeats - 1, duplength); 2455 if (repeatsLength < 0) { 2456 errorcode = ERR16; 2457 return -1; 2458 } 2459 length += repeatsLength; 2460 if (maxRepeats > minRepeats) { /* Need this test as maxRepeats=-1 means no limit */ 2461 repeatsLength = multiplyWithOverflowCheck(maxRepeats - minRepeats, duplength + 3 + 2 * LINK_SIZE); 2462 if (repeatsLength < 0) { 2463 errorcode = ERR16; 2464 return -1; 2465 } 2466 length += repeatsLength - (2 + 2 * LINK_SIZE); 2467 } 2468 if (length > MAX_PATTERN_SIZE) { 2469 errorcode = ERR16; 2470 return -1; 2471 } 2432 2472 } 2433 2473 -
trunk/LayoutTests/ChangeLog
r31384 r31388 1 2008-03-27 Mark Rowe <mrowe@apple.com> 2 3 Reviewed by Adam Roben. 4 5 Tests for <rdar://problem/5826236> Regular expressions with large nested repetition counts can have their 6 compiled length calculated incorrectly. 7 8 * fast/js/regexp-overflow-expected.txt: 9 * fast/js/resources/regexp-overflow.js: 10 1 11 2008-03-27 Brady Eidson <beidson@apple.com> 2 12 -
trunk/LayoutTests/fast/js/regexp-overflow-expected.txt
r28787 r31388 13 13 PASS /{([\D-\ca]]ââ¬ÅŸÃ£Ãµ+?)}|[[\B-\u00d4]âËÅ¡Ãâ¬- ]]]{0,3}/i.exec("BâËÅ¡Ãâ¬- ]]").toString() is "BâËÅ¡Ãâ¬- ]]," 14 14 PASS /|[x\B-\u00b5]/i.exec("").toString() is "" 15 PASS new RegExp(s); threw exception SyntaxError: Invalid regular expression: regular expression too large. 16 PASS /(([ab]){30}){3360}/ threw exception SyntaxError: Invalid regular expression: regular expression too large. 17 PASS /(([ab]){30}){0,3360}/ threw exception SyntaxError: Invalid regular expression: regular expression too large. 18 PASS /(([ab]){30}){10,3360}/ threw exception SyntaxError: Invalid regular expression: regular expression too large. 19 PASS /(([ab]){0,30}){3360}/ threw exception SyntaxError: Invalid regular expression: regular expression too large. 20 PASS /(([ab]){0,30}){0,3360}/ threw exception SyntaxError: Invalid regular expression: regular expression too large. 21 PASS /(([ab]){0,30}){10,3360}/ threw exception SyntaxError: Invalid regular expression: regular expression too large. 22 PASS /(([ab]){10,30}){3360}/ threw exception SyntaxError: Invalid regular expression: regular expression too large. 23 PASS /(([ab]){10,30}){0,3360}/ threw exception SyntaxError: Invalid regular expression: regular expression too large. 24 PASS /(([ab]){10,30}){10,3360}/ threw exception SyntaxError: Invalid regular expression: regular expression too large. 25 PASS /(([ab]){12})(([ab]){65535}){1680}(([ab]){38}){722}([ab]){27}/ threw exception SyntaxError: Invalid regular expression: regular expression too large. 15 26 16 27 PASS successfullyParsed is true -
trunk/LayoutTests/fast/js/resources/regexp-overflow.js
r28785 r31388 21 21 shouldBe('/|[x\\B-\\u00b5]/i.exec("").toString()', '""'); 22 22 23 var s = "a"; 24 for (var i = 0; i < 17; i++) 25 s += s; 26 27 shouldThrow('new RegExp(s);'); 28 29 shouldThrow('/(([ab]){30}){3360}/'); 30 shouldThrow('/(([ab]){30}){0,3360}/'); 31 shouldThrow('/(([ab]){30}){10,3360}/'); 32 shouldThrow('/(([ab]){0,30}){3360}/'); 33 shouldThrow('/(([ab]){0,30}){0,3360}/'); 34 shouldThrow('/(([ab]){0,30}){10,3360}/'); 35 shouldThrow('/(([ab]){10,30}){3360}/'); 36 shouldThrow('/(([ab]){10,30}){0,3360}/'); 37 shouldThrow('/(([ab]){10,30}){10,3360}/'); 38 shouldThrow('/(([ab]){12})(([ab]){65535}){1680}(([ab]){38}){722}([ab]){27}/'); 39 23 40 debug(''); 24 41
