Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 561d0e5534c8c0b0d99688e43a2b5eb7f225cd85
https://github.com/WebKit/WebKit/commit/561d0e5534c8c0b0d99688e43a2b5eb7f225cd85
Author: Michael Saboff <msab...@apple.com>
Date: 2023-01-31 (Tue, 31 Jan 2023)
Changed paths:
M JSTests/stress/regexp-lookbehind.js
M Source/JavaScriptCore/yarr/YarrPattern.cpp
M Source/JavaScriptCore/yarr/YarrPattern.h
Log Message:
-----------
[JSC] UAF Yarr::YarrPatternConstructor::atomParenthesesEnd;
Yarr::Parser::parseTokens; JSC::Yarr::parse
https://bugs.webkit.org/show_bug.cgi?id=251435
rdar://104652578
Reviewed by Mark Lam and Tadeu Zagallo.
When parsing a backreference for a lookbehind, it will likely appear lexically
before the capture it references.
In that case, we create a forward reference term and see if we can convert it
to a backreference at the end of the
lookbehind if a corresponding capture was found. The prior code did this by
saving a pointer to all such forward
references. That pointer is a pointer into the storage for a Vector, which can
be reallocated as it grows.
The fix here is to save a pointer to the alternative that contains the term and
the index of the term in the alternative.
PatternAlternatives are kept alive during parsing, so it is safe to use them.
* JSTests/stress/regexp-lookbehind.js: Added new test cases.
* Source/JavaScriptCore/yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::UnresolvedForwardReference::UnresolvedForwardReference):
(JSC::Yarr::YarrPatternConstructor::UnresolvedForwardReference::term):
(JSC::Yarr::YarrPatternConstructor::atomParenthesesEnd):
(JSC::Yarr::YarrPatternConstructor::atomBackReference):
* Source/JavaScriptCore/yarr/YarrPattern.h:
(JSC::Yarr::PatternAlternative::lastTermIndex):
(JSC::Yarr::PatternAlternative::lastTerm):
Canonical link: https://commits.webkit.org/259657@main
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
