[webkit-changes] [WebKit/WebKit] e53681: [JSC] YARR RegularExpression heap overflow - dupli...

Thu, 11 Jun 2026 08:11:38 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e5368156542a8414366b922c6c8130099fc3df94
      
https://github.com/WebKit/WebKit/commit/e5368156542a8414366b922c6c8130099fc3df94
  Author: Yusuke Suzuki <[email protected]>
  Date:   2026-06-11 (Thu, 11 Jun 2026)

  Changed paths:
    M Source/JavaScriptCore/yarr/RegularExpression.cpp
    M Tools/TestWebKitAPI/CMakeLists.txt
    A Tools/TestWebKitAPI/Tests/JavaScriptCore/RegularExpression.cpp

  Log Message:
  -----------
  [JSC] YARR RegularExpression heap overflow - duplicate named capture groups
https://bugs.webkit.org/show_bug.cgi?id=308707
rdar://171240602

Reviewed by Keith Miller.

RegularExpression's offsets vector allocation size is incorrect: that
formula was updated when named captures are added, but
RegularExpression's computation was not updated correctly. This patch
fixes it.

Tests: Tools/TestWebKitAPI/CMakeLists.txt
       Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
       Tools/TestWebKitAPI/Tests/JavaScriptCore/RegularExpression.cpp

* Source/JavaScriptCore/yarr/RegularExpression.cpp:
(JSC::Yarr::RegularExpression::match const):
* Tools/TestWebKitAPI/CMakeLists.txt:
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/JavaScriptCore/RegularExpression.cpp: Added.
(TestWebKitAPI::TEST(JavaScriptCore_RegularExpression, 
DuplicateNamedCaptureGroupSimple)):
(TestWebKitAPI::TEST(JavaScriptCore_RegularExpression, 
DuplicateNamedCaptureGroupMultiple)):
(TestWebKitAPI::TEST(JavaScriptCore_RegularExpression, 
DuplicateNamedCaptureGroupNoMatch)):
(TestWebKitAPI::TEST(JavaScriptCore_RegularExpression, 
DuplicateNamedCaptureGroupSearchRev)):

Originally-landed-as: 305413.398@safari-7624-branch (86cffcf010ab). 
rdar://176067468
Canonical link: https://commits.webkit.org/315024@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to