Bug 254582

Summary: [JSC] CrashOnOverflow in CharacterClassConstructor::unicodeOpSorted()
Product: WebKit Reporter: Samuel Groß <saelo>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, msaboff, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   

Description Samuel Groß 2023-03-28 06:28:47 PDT 
The following code triggers a crash on JSC builds from current HEAD:

    const v0 = `
        const v2 = /(?:(?=a)b){5}abcde/;
        [v0,"var \u1234 = 42;",[v0,"var \u1234 = 42;"]];
        const t3 = v2.constructor;
        const v6 = new t3(v0, ..."var \u1234 = 42;");
    `;
    eval(v0);
    // CRASH INFO
    // ==========
    // TERMSIG: 6
    // EXECUTION TIME: 16ms

Here is the backtrace from gdb:

    #0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
    #1  0x00007ffff16add2f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
    #2  0x00007ffff165eef2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
    #3  0x00007ffff1649472 in __GI_abort () at ./stdlib/abort.c:79
    #4  0x00007ffff52083f9 in WTF::CrashOnOverflow::crash () at WTF/Headers/wtf/CheckedArithmetic.h:109
    #5  0x00007ffff52083e9 in WTF::CrashOnOverflow::overflowed () at WTF/Headers/wtf/CheckedArithmetic.h:102
    #6  0x00007ffff53077e8 in WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at (this=0x7fffe705d408, i=1) at WTF/Headers/wtf/Vector.h:781
    #7  0x00007ffff73a973d in WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[] (this=0x7fffe705d408, i=1) at WTF/Headers/wtf/Vector.h:786
    #8  0x00007ffff749c45a in JSC::Yarr::CharacterClassConstructor::unicodeOpSorted (this=0x7fffffffb308, rhsMatchesUnicode=..., rhsRangesUnicode=...) at Source/JavaScriptCore/yarr/YarrPattern.cpp:786
    #9  0x00007ffff749bb25 in JSC::Yarr::CharacterClassConstructor::performSetOpWithMatches (this=0x7fffffffb308, rhsMatches=..., rhsRanges=..., rhsMatchesUnicode=..., rhsRangesUnicode=...) at Source/JavaScriptCore/yarr/YarrPattern.cpp:404
    #10 0x00007ffff74a018e in JSC::Yarr::CharacterClassConstructor::performSetOpWith (this=0x7fffffffb308, rhs=0x7fffe705d3d0) at Source/JavaScriptCore/yarr/YarrPattern.cpp:368
    #11 0x00007ffff749b00c in JSC::Yarr::YarrPatternConstructor::atomCharacterClassPopNested (this=0x7fffffffb2f8) at Source/JavaScriptCore/yarr/YarrPattern.cpp:1219
    #12 0x00007ffff74adf74 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::ClassSetParserDelegate::nestedClassEnd (this=0x7fffffffaff8) at Source/JavaScriptCore/yarr/YarrParser.h:364
    #13 0x00007ffff74ac11f in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::parseClassSet (this=0x7fffffffb0f8) at Source/JavaScriptCore/yarr/YarrParser.h:1229
    #14 0x00007ffff74ab3b2 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::parseTokens (this=0x7fffffffb0f8) at Source/JavaScriptCore/yarr/YarrParser.h:1539
    #15 0x00007ffff748ffa3 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, char16_t>::parse (this=0x7fffffffb0f8) at Source/JavaScriptCore/yarr/YarrParser.h:1632
    #16 0x00007ffff748716e in JSC::Yarr::parse<JSC::Yarr::YarrPatternConstructor> (delegate=..., pattern=..., compileMode=JSC::Yarr::CompileMode::UnicodeSets, backReferenceLimit=4294967295, isNamedForwardReferenceAllowed=true) at Source/JavaScriptCore/yarr/YarrParser.h:2083
    #17 0x00007ffff73e9ded in JSC::Yarr::YarrPattern::compile (this=0x7fffffffb498, patternString=...) at Source/JavaScriptCore/yarr/YarrPattern.cpp:2053
    #18 0x00007ffff73ea1bd in JSC::Yarr::YarrPattern::YarrPattern (this=0x7fffffffb498, pattern=..., flags=..., error=@0x7fffe702103c: JSC::Yarr::ErrorCode::NoError) at Source/JavaScriptCore/yarr/YarrPattern.cpp:2093
    #19 0x00007ffff6da3e5e in JSC::RegExp::finishCreation (this=0x7fffe7021028, vm=...) at Source/JavaScriptCore/runtime/RegExp.cpp:159
    #20 0x00007ffff6da4009 in JSC::RegExp::createWithoutCaching (vm=..., patternString=..., flags=...) at Source/JavaScriptCore/runtime/RegExp.cpp:197
    #21 0x00007ffff6da40ec in JSC::RegExpCache::lookupOrCreate (this=0x7fffe704c0c0, patternString=..., flags=...) at Source/JavaScriptCore/runtime/RegExpCache.cpp:42
    #22 0x00007ffff6da4058 in JSC::RegExp::create (vm=..., patternString=..., flags=...) at Source/JavaScriptCore/runtime/RegExp.cpp:203
    #23 0x00007ffff6db9383 in JSC::regExpCreate (globalObject=0x7fffa541a068, newTarget=..., patternArg=..., flagsArg=...) at Source/JavaScriptCore/runtime/RegExpConstructor.cpp:234
    #24 0x00007ffff6db8fb3 in JSC::constructRegExp (globalObject=0x7fffa541a068, args=..., callee=0x7fffa54c8130, newTarget=...) at Source/JavaScriptCore/runtime/RegExpConstructor.cpp:294
    #25 0x00007ffff6db6a34 in JSC::constructWithRegExpConstructor (globalObject=0x7fffa541a068, callFrame=0x7fffffffba60) at Source/JavaScriptCore/runtime/RegExpConstructor.cpp:313
    #26 0x00007fffa6c000c7 in ?? ()
    #27 0x00007fffffffbb60 in ?? ()
    #28 0x00007ffff51e1d59 in js_trampoline_op_construct_varargs () from WebKitBuild/Debug/lib/libJavaScriptCore.so.1
    #29 0x0000000000000000 in ?? ()

It looks like a hard crash to me that is not exploitable in any way, but I'm still filing this as a security issue as a precaution. Please downgrade to a non-security bug if appropriate. Thanks!
Comment 1 Radar WebKit Bug Importer 2023-03-28 06:28:59 PDT 
<rdar://problem/107314153>
Comment 2 Michael Saboff 2023-03-28 15:35:49 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/12079
Comment 3 EWS 2023-03-29 14:42:53 PDT 
Committed 262290@main (d85eafff7c3d): <https://commits.webkit.org/262290@main>

Reviewed commits have been landed. Closing PR #12079 and removing active labels.