Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b2d8670b72c1e13f59548d808923f709291eb509
https://github.com/WebKit/WebKit/commit/b2d8670b72c1e13f59548d808923f709291eb509
Author: Sosuke Suzuki <[email protected]>
Date: 2026-02-18 (Wed, 18 Feb 2026)
Changed paths:
A JSTests/stress/regexp-backreference-ignorecase-non-ascii-folding.js
M Source/JavaScriptCore/yarr/YarrJIT.cpp
Log Message:
-----------
[YARR] Fix out-of-bounds table access in JIT case-insensitive backreference
matching
https://bugs.webkit.org/show_bug.cgi?id=307961
Reviewed by Yusuke Suzuki.
In 16-bit case-insensitive backreference matching, the JIT ASCII fast path
only checked whether the input character was <= 127 before indexing into
latin1CanonicalizationTable (256 entries). It did not check the pattern
character (the character read from the captured group). When the captured
character is non-ASCII (e.g., U+212A KELVIN SIGN) but the input character
is ASCII (e.g., 'K'), this results in an out-of-bounds read from the table
and a false negative match.
Fix by checking that both the input character and the pattern character are
ASCII before taking the table lookup fast path. If either is non-ASCII,
fall through to the areCanonicallyEquivalent slow path which correctly
handles the full Unicode case folding.
Test: JSTests/stress/regexp-backreference-ignorecase-non-ascii-folding.js
* JSTests/stress/regexp-backreference-ignorecase-non-ascii-folding.js: Added.
(shouldBe):
* Source/JavaScriptCore/yarr/YarrJIT.cpp:
Canonical link: https://commits.webkit.org/307793@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
