RESOLVED FIXED259143
heap-use-after-free | JSC::RegExpObject::execInline; JSC::regExpProtoFuncExec 
https://bugs.webkit.org/show_bug.cgi?id=259143
Summary heap-use-after-free | JSC::RegExpObject::execInline; JSC::regExpProtoFuncExec
Michael Saboff
Reported 2023-07-12 06:33:56 PDT
When processing some RegExp's with duplicate named capture groups where we have nested counted parenthesis, we can get a ASSERT / ASAN UAF. ASSERTION FAILED: index < m_length /Users/msaboff/src/WK.1/OpenSource/Source/JavaScriptCore/runtime/ButterflyInlines.h(46) : typename ContiguousData<T>::Data JSC::ContiguousData<const JSC::WriteBarrier<JSC::Unknown, RawValueTraits<JSC::Unknown>>>::at(const JSC::JSCell *, size_t) [T = const JSC::WriteBarrier<JSC::Unknown, RawValueTraits<JSC::Unknown>>] 1 0x10987f6b4 WTFCrash 2 0x109f71154 JSC::IntlNumberFormat::initializeNumberFormat(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) 3 0x10acdef5c JSC::ContiguousData<JSC::WriteBarrier<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown>> const>::at(JSC::JSCell const*, unsigned long) 4 0x10b4754ac JSC::JSObject::getIndexQuickly(unsigned int) const 5 0x10b8c0888 JSC::createRegExpMatchesArray(JSC::VM&, JSC::JSGlobalObject*, JSC::JSString*, WTF::String const&, JSC::RegExp*, unsigned int, JSC::MatchResult&) 6 0x10b8b8a8c JSC::RegExpObject::execInline(JSC::JSGlobalObject*, JSC::JSString*) 7 0x10b8b8754 JSC::RegExpObject::exec(JSC::JSGlobalObject*, JSC::JSString*) 8 0x10b8bcc1c JSC::regExpProtoFuncMatchFast(JSC::JSGlobalObject*, JSC::CallFrame*)
Attachments
Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2023-07-12 09:22:51 PDT
Pull request: https://github.com/WebKit/WebKit/pull/15780
EWS
Comment 2 2023-07-12 14:51:21 PDT
Committed 266009@main (9257a50c70ba): <https://commits.webkit.org/266009@main> Reviewed commits have been landed. Closing PR #15780 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.