Bug 259143

Summary: heap-use-after-free | JSC::RegExpObject::execInline; JSC::regExpProtoFuncExec
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Michael Saboff 2023-07-12 06:33:56 PDT 
When processing some RegExp's with duplicate named capture groups where we have nested counted parenthesis, we can get a ASSERT / ASAN UAF.

ASSERTION FAILED: index < m_length
/Users/msaboff/src/WK.1/OpenSource/Source/JavaScriptCore/runtime/ButterflyInlines.h(46) : typename ContiguousData<T>::Data JSC::ContiguousData<const JSC::WriteBarrier<JSC::Unknown, RawValueTraits<JSC::Unknown>>>::at(const JSC::JSCell *, size_t) [T = const JSC::WriteBarrier<JSC::Unknown, RawValueTraits<JSC::Unknown>>]
1   0x10987f6b4 WTFCrash
2   0x109f71154 JSC::IntlNumberFormat::initializeNumberFormat(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue)
3   0x10acdef5c JSC::ContiguousData<JSC::WriteBarrier<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown>> const>::at(JSC::JSCell const*, unsigned long)
4   0x10b4754ac JSC::JSObject::getIndexQuickly(unsigned int) const
5   0x10b8c0888 JSC::createRegExpMatchesArray(JSC::VM&, JSC::JSGlobalObject*, JSC::JSString*, WTF::String const&, JSC::RegExp*, unsigned int, JSC::MatchResult&)
6   0x10b8b8a8c JSC::RegExpObject::execInline(JSC::JSGlobalObject*, JSC::JSString*)
7   0x10b8b8754 JSC::RegExpObject::exec(JSC::JSGlobalObject*, JSC::JSString*)
8   0x10b8bcc1c JSC::regExpProtoFuncMatchFast(JSC::JSGlobalObject*, JSC::CallFrame*)
Comment 1 Michael Saboff 2023-07-12 09:22:51 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/15780
Comment 2 EWS 2023-07-12 14:51:21 PDT 
Committed 266009@main (9257a50c70ba): <https://commits.webkit.org/266009@main>

Reviewed commits have been landed. Closing PR #15780 and removing active labels.