WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
59221
[RegexFuzz] Regression blocking testing
https://bugs.webkit.org/show_bug.cgi?id=59221
Summary
[RegexFuzz] Regression blocking testing
Oliver Hunt
Reported
2011-04-22 12:20:56 PDT
new RegExp("(?!(u|m{0,}g+)u{1,}|2{2,}!1%n|(?!K|(?=y)|(?=ip))+?)(?=(?=(((?:7))*?)*?))p", "m").exec("u55up") This triggers the following assertion (which implies a out of bounds read), it also blocks the fuzzer: ASSERTION FAILED: position < 0 /Volumes/BigData/git/WebKit/OpenSource/Source/JavaScriptCore/yarr/YarrInterpreter.cpp(205) : int JSC::Yarr::Interpreter::InputStream::readChecked(int) 1 JSC::Yarr::Interpreter::InputStream::readChecked(int) 2 JSC::Yarr::Interpreter::checkCharacter(int, int) 3 JSC::Yarr::Interpreter::matchDisjunction(JSC::Yarr::ByteDisjunction*, JSC::Yarr::Interpreter::DisjunctionContext*, bool, bool) 4 JSC::Yarr::Interpreter::interpret() 5 JSC::Yarr::interpret(JSC::Yarr::BytecodePattern*, unsigned short const*, unsigned int, unsigned int, int*) 6 JSC::RegExp::match(JSC::UString const&, int, WTF::Vector<int, 32ul>*) 7 JSC::RegExpConstructor::performMatch(JSC::RegExp*, JSC::UString const&, int, int&, int&, int**) 8 JSC::RegExpObject::match(JSC::ExecState*) 9 JSC::RegExpObject::exec(JSC::ExecState*)
Attachments
The patch
(5.02 KB, patch)
2011-04-29 14:41 PDT
,
Gavin Barraclough
oliver
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Gavin Barraclough
Comment 1
2011-04-29 11:57:05 PDT
Reduction: /(?=(a)b|c?)()*d/.exec("ax")
Gavin Barraclough
Comment 2
2011-04-29 13:08:56 PDT
Reduction with YARR JIT disabled: /(?=a|b?)c/.exec("x")
Gavin Barraclough
Comment 3
2011-04-29 14:09:25 PDT
Reduction: /(?=(a)b|c?)()*d/.exec("ax")
Gavin Barraclough
Comment 4
2011-04-29 14:41:15 PDT
Created
attachment 91742
[details]
The patch
Gavin Barraclough
Comment 5
2011-04-29 14:55:50 PDT
fixed in
r85361
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug