Revision: 11720
Author: [email protected]
Date: Tue Jun 5 10:41:59 2012
Log: Correctly check length when allocating string.
[email protected]
BUG=
TEST=regress-regexp-overflow.js
Review URL: https://chromiumcodereview.appspot.com/10538012
http://code.google.com/p/v8/source/detail?r=11720
Modified:
/branches/bleeding_edge/src/runtime.cc
/branches/bleeding_edge/test/cctest/test-strings.cc
=======================================
--- /branches/bleeding_edge/src/runtime.cc Tue Jun 5 07:41:01 2012
+++ /branches/bleeding_edge/src/runtime.cc Tue Jun 5 10:41:59 2012
@@ -2985,7 +2985,15 @@
int matches = indices.length();
if (matches == 0) return *subject;
- int result_len = (replacement_len - pattern_len) * matches + subject_len;
+ // Detect integer overflow.
+ int64_t result_len_64 =
+ (static_cast<int64_t>(replacement_len) -
+ static_cast<int64_t>(pattern_len)) *
+ static_cast<int64_t>(matches) +
+ static_cast<int64_t>(subject_len);
+ if (result_len_64 > INT_MAX) return Failure::OutOfMemoryException();
+ int result_len = static_cast<int>(result_len_64);
+
int subject_pos = 0;
int result_pos = 0;
=======================================
--- /branches/bleeding_edge/test/cctest/test-strings.cc Tue Apr 17 03:49:15
2012
+++ /branches/bleeding_edge/test/cctest/test-strings.cc Tue Jun 5 10:41:59
2012
@@ -672,3 +672,20 @@
CompileRun("var slice = long.slice(1, 15);");
CheckException("%_SubString(slice, 0, 17);");
}
+
+
+TEST(RegExpOverflow) {
+ // Result string has the length 2^32, causing a 32-bit integer overflow.
+ InitializeVM();
+ HandleScope scope;
+ LocalContext context;
+ v8::V8::IgnoreOutOfMemoryException();
+ v8::Local<v8::Value> result = CompileRun(
+ "var a = 'a'; "
+ "for (var i = 0; i < 16; i++) { "
+ " a += a; "
+ "} "
+ "a.replace(/a/g, a); ");
+ CHECK(result.IsEmpty());
+ CHECK(context->HasOutOfMemoryException());
+}
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev