Changeset 28260 in webkit
- Timestamp:
- Nov 30, 2007 3:43:45 PM (16 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 4 edited
-
JavaScriptCore/ChangeLog (modified) (1 diff)
-
JavaScriptCore/pcre/pcre_compile.cpp (modified) (20 diffs)
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/fast/js/regexp-compile-crash-expected.txt (added)
-
LayoutTests/fast/js/regexp-compile-crash.html (added)
-
LayoutTests/fast/js/resources/regexp-compile-crash.js (added)
-
WebCore/WebCore.xcodeproj/project.pbxproj (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JavaScriptCore/ChangeLog
r28243 r28260 27 27 28 28 * pcre/pcre_internal.h: Removed all the UTF-16 helper functions. 29 30 2007-11-30 Eric Seidel <eric@webkit.org> 31 32 Reviewed by darin. 33 34 PCRE crashes under GuardMalloc 35 http://bugs.webkit.org/show_bug.cgi?id=16127 36 check against patternEnd to make sure we don't walk off the end of the string 37 38 * pcre/pcre_compile.cpp: 39 (compile_branch): 40 (calculateCompiledPatternLengthAndFlags): 29 41 30 42 2007-11-30 Eric Seidel <eric@webkit.org> -
trunk/JavaScriptCore/pcre/pcre_compile.cpp
r28243 r28260 198 198 const UChar* oldptr = ptr; 199 199 c -= '0'; 200 while ( ptr + 1 < patternEnd&& isASCIIDigit(ptr[1]) && c <= bracount)200 while ((ptr + 1 < patternEnd) && isASCIIDigit(ptr[1]) && c <= bracount) 201 201 c = c * 10 + *(++ptr) - '0'; 202 202 if (c <= bracount) { … … 727 727 */ 728 728 729 static inline bool safelyCheckNextChar(const UChar* ptr, const UChar* patternEnd, UChar expected) 730 { 731 return ((ptr + 1 < patternEnd) && ptr[1] == expected); 732 } 733 729 734 static bool 730 735 compile_branch(int options, int* brackets, uschar** codeptr, … … 775 780 /* Switch on next character until the end of the branch */ 776 781 777 for (;; ptr++) 778 { 782 for (;; ptr++) { 779 783 bool negate_class; 780 784 bool should_flip_negation; /* If a negative special such as \S is used, we should negate the whole class to properly support Unicode. */ … … 865 869 866 870 /* If the first character is '^', set the negation flag and skip it. */ 867 871 872 if (ptr + 1 >= patternEnd) 873 return -1; 874 868 875 if (ptr[1] == '^') { 869 876 negate_class = true; … … 893 900 strict here. At the start of the loop, c contains the first byte of the 894 901 character. */ 895 while ((c = *(++ptr)) != ']') { 902 903 while ((++ptr < patternEnd) && (c = *ptr) != ']') { 896 904 /* Backslash may introduce a single character, or it may introduce one 897 905 of the specials, which just set a flag. Escaped items are checked for … … 963 971 here is treated as a literal. */ 964 972 965 if ( ptr[1] == '-' && ptr[2] != ']') {973 if ((ptr + 2 < patternEnd) && ptr[1] == '-' && ptr[2] != ']') { 966 974 ptr += 2; 967 975 … … 1087 1095 } 1088 1096 } 1089 } 1090 else 1091 1092 /* Handle a single-byte character */ 1093 { 1097 } else { 1098 /* Handle a single-byte character */ 1094 1099 classbits[c/8] |= (1 << (c&7)); 1095 1100 if (options & IgnoreCaseOption) { … … 1247 1252 repeat type to the non-default. */ 1248 1253 1249 if ( ptr + 1 < patternEnd && ptr[1] == '?') {1254 if (safelyCheckNextChar(ptr, patternEnd, '?')) { 1250 1255 repeat_type = 1; 1251 1256 ptr++; … … 2237 2242 int minRepeats = 0, maxRepeats = 0; 2238 2243 int c = *ptr; 2239 2244 2240 2245 item_count++; /* Is zero for the first non-comment item */ 2241 2246 2242 2247 switch (c) { 2243 2248 /* A backslashed item may be an escaped data character or it may be a 2244 2249 character type. */ 2245 2250 2246 2251 case '\\': 2247 2252 c = check_escape(&ptr, patternEnd, &errorcode, bracount, false); … … 2279 2284 compile_block.top_backref = refnum; 2280 2285 length += 2; /* For single back reference */ 2281 if ( ptr[1] == '{' && is_counted_repeat(ptr+2, patternEnd)) {2282 ptr = read_repeat_counts(ptr +2, &minRepeats, &maxRepeats, &errorcode);2286 if (safelyCheckNextChar(ptr, patternEnd, '{') && is_counted_repeat(ptr + 2, patternEnd)) { 2287 ptr = read_repeat_counts(ptr + 2, &minRepeats, &maxRepeats, &errorcode); 2283 2288 if (errorcode) 2284 2289 return -1; … … 2288 2293 else 2289 2294 length += 5; 2290 if ( ptr[1] == '?')2295 if (safelyCheckNextChar(ptr, patternEnd, '?')) 2291 2296 ptr++; 2292 2297 } … … 2309 2314 /* This covers the cases of braced repeats after a single char, metachar, 2310 2315 class, or back reference. */ 2311 2316 2312 2317 case '{': 2313 2318 if (!is_counted_repeat(ptr+1, patternEnd)) … … 2334 2339 } 2335 2340 2336 if ( ptr[1] == '?')2341 if (safelyCheckNextChar(ptr, patternEnd, '?')) 2337 2342 ptr++; /* Needs no extra length */ 2338 2343 2339 2344 POSSESSIVE: /* Test for possessive quantifier */ 2340 if ( ptr[1] == '+') {2345 if (safelyCheckNextChar(ptr, patternEnd, '+')) { 2341 2346 ptr++; 2342 2347 length += 2 + 2 * LINK_SIZE; /* Allow for atomic brackets */ … … 2412 2417 2413 2418 int d = -1; 2414 if ( ptr + 1 < patternEnd && ptr[1] == '-') {2419 if (safelyCheckNextChar(ptr, patternEnd, '-')) { 2415 2420 UChar const *hyptr = ptr++; 2416 if ( ptr + 1 < patternEnd && ptr[1] == '\\') {2421 if (safelyCheckNextChar(ptr, patternEnd, '\\')) { 2417 2422 ptr++; 2418 2423 d = check_escape(&ptr, patternEnd, &errorcode, bracount, true); … … 2422 2427 d = '\b'; /* backspace */ 2423 2428 } 2424 else if ( ptr + 1 < patternEnd&& ptr[1] != ']')2429 else if ((ptr + 1 < patternEnd) && ptr[1] != ']') 2425 2430 d = *++ptr; 2426 2431 if (d < 0) … … 2522 2527 we also need extra for wrapping the whole thing in a sub-pattern. */ 2523 2528 2524 if ( ptr + 1 < patternEnd && ptr[1] == '{'&& is_counted_repeat(ptr+2, patternEnd)) {2529 if (safelyCheckNextChar(ptr, patternEnd, '{') && is_counted_repeat(ptr+2, patternEnd)) { 2525 2530 ptr = read_repeat_counts(ptr+2, &minRepeats, &maxRepeats, &errorcode); 2526 2531 if (errorcode != 0) … … 2531 2536 else 2532 2537 length += 5; 2533 if ( ptr + 1 < patternEnd && ptr[1] == '+') {2538 if (safelyCheckNextChar(ptr, patternEnd, '+')) { 2534 2539 ptr++; 2535 2540 length += 2 + 2 * LINK_SIZE; 2536 } else if ( ptr + 1 < patternEnd && ptr[1] == '?')2541 } else if (safelyCheckNextChar(ptr, patternEnd, '?')) 2537 2542 ptr++; 2538 2543 } … … 2550 2555 /* Handle special forms of bracket, which all start (? */ 2551 2556 2552 if ( ptr + 1 < patternEnd && ptr[1] == '?') {2557 if (safelyCheckNextChar(ptr, patternEnd, '?')) { 2553 2558 switch (c = (ptr + 2 < patternEnd ? ptr[2] : 0)) { 2554 2559 /* Non-referencing groups and lookaheads just move the pointer on, and … … 2622 2627 automatically; for the others we need an increment. */ 2623 2628 2624 if ( ptr + 1 < patternEnd&& (c = ptr[1]) == '{' && is_counted_repeat(ptr+2, patternEnd)) {2629 if ((ptr + 1 < patternEnd) && (c = ptr[1]) == '{' && is_counted_repeat(ptr+2, patternEnd)) { 2625 2630 ptr = read_repeat_counts(ptr+2, &minRepeats, &maxRepeats, &errorcode); 2626 2631 if (errorcode) … … 2668 2673 /* Allow space for once brackets for "possessive quantifier" */ 2669 2674 2670 if ( ptr + 1 < patternEnd && ptr[1] == '+') {2675 if (safelyCheckNextChar(ptr, patternEnd, '+')) { 2671 2676 ptr++; 2672 2677 length += 2 + 2 * LINK_SIZE; -
trunk/LayoutTests/ChangeLog
r28247 r28260 1 2007-11-30 Eric Seidel <eric@webkit.org> 2 3 Reviewed by darin. 4 5 Test case for: 6 http://bugs.webkit.org/show_bug.cgi?id=16127 7 8 * fast/js/regexp-compile-crash-expected.txt: Added. 9 * fast/js/regexp-compile-crash.html: Added. 10 1 11 2007-11-30 Adam Roben <aroben@apple.com> 2 12 -
trunk/WebCore/WebCore.xcodeproj/project.pbxproj
r28258 r28260 14108 14108 isa = PBXProject; 14109 14109 buildConfigurationList = 149C284308902B11008A9EFC /* Build configuration list for PBXProject "WebCore" */; 14110 compatibilityVersion = "Xcode 2.4"; 14110 14111 hasScannedForEncodings = 1; 14111 14112 knownRegions = (
Note: See TracChangeset
for help on using the changeset viewer.
