diff options
author | Ulf Hermann <ulf.hermann@qt.io> | 2019-04-30 13:29:45 +0200 |
---|---|---|
committer | Ulf Hermann <ulf.hermann@qt.io> | 2019-04-30 12:37:19 +0000 |
commit | ac0d313ab15aa78c444d00ed6a1a202a1351dfa1 (patch) | |
tree | 8f8c0db341329c8a7c8f7b27c2b196a5b9b86778 | |
parent | f01e72a82b59c214ce4b0a6ecefb604bc66ddd3e (diff) |
Yarr: Reject quantifiers larger than 16M
Nobody needs those and we run into integer overflows later on if we
accept them.
Fixes: QTBUG-74048
Change-Id: Ib8ccd05e4bd6f662c38fbe95bf1350f81982e1b8
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
-rw-r--r-- | src/3rdparty/masm/yarr/YarrParser.h | 3 | ||||
-rw-r--r-- | tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp | 11 |
2 files changed, 13 insertions, 1 deletions
diff --git a/src/3rdparty/masm/yarr/YarrParser.h b/src/3rdparty/masm/yarr/YarrParser.h index 3e5311f1fb..edc6beb1f0 100644 --- a/src/3rdparty/masm/yarr/YarrParser.h +++ b/src/3rdparty/masm/yarr/YarrParser.h @@ -694,7 +694,8 @@ private: ASSERT(!hasError(m_errorCode)); ASSERT(min <= max); - if (min == UINT_MAX) { + const unsigned quantifyLimit = 1 << 24; + if (min > quantifyLimit || (max != quantifyInfinite && max > quantifyLimit)) { m_errorCode = ErrorCode::QuantifierTooLarge; return; } diff --git a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp index 85cad8f62c..007ad99655 100644 --- a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp +++ b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp @@ -368,6 +368,7 @@ private slots: void saveAccumulatorBeforeToInt32(); void intMinDividedByMinusOne(); void undefinedPropertiesInObjectWrapper(); + void hugeRegexpQuantifiers(); private: // static void propertyVarWeakRefCallback(v8::Persistent<v8::Value> object, void* parameter); @@ -8968,6 +8969,16 @@ void tst_qqmlecmascript::undefinedPropertiesInObjectWrapper() QVERIFY(!object.isNull()); } +void tst_qqmlecmascript::hugeRegexpQuantifiers() +{ + QJSEngine engine; + QJSValue value = engine.evaluate("/({3072140529})?{3072140529}/"); + + // It's a regular expression, but it won't match anything. + // The RegExp compiler also shouldn't crash. + QVERIFY(value.isRegExp()); +} + QTEST_MAIN(tst_qqmlecmascript) #include "tst_qqmlecmascript.moc" |