Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9257a50c70baaa8dee34f5934b4f105017bf92ab
https://github.com/WebKit/WebKit/commit/9257a50c70baaa8dee34f5934b4f105017bf92ab
Author: Michael Saboff <[email protected]>
Date: 2023-07-12 (Wed, 12 Jul 2023)
Changed paths:
M JSTests/stress/regexp-duplicate-named-captures.js
M Source/JavaScriptCore/yarr/YarrInterpreter.cpp
Log Message:
-----------
heap-use-after-free | JSC::RegExpObject::execInline; JSC::regExpProtoFuncExec
https://bugs.webkit.org/show_bug.cgi?id=259143
rdar://111502448
Reviewed by Yusuke Suzuki.
Fixed the saving and restoring of duplicate groups IDs for nested / counted
Parens in the YARR
interpreter. We only save the number of duplicate groups needed for the
current parenthesis.
We were using the duplicate groups ID, which may exceed the number of duplicate
IDs we need to
save. Changed the code to save these ID using a counted index instead of their
actual value.
Added an ASSERT in backupOffsetForDuplicateNamedGroup() where we calculate the
offset in the
saved context buffer.
Added a new regression test case.
* JSTests/stress/regexp-duplicate-named-captures.js:
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
(JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::restoreOutput):
(JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::backupOffsetForDuplicateNamedGroup):
Canonical link: https://commits.webkit.org/266009@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
