2 files changed, 13 insertions, 1 deletions

diff --git a/src/3rdparty/masm/yarr/YarrParser.h b/src/3rdparty/masm/yarr/YarrParser.h
index 3e5311f1fb..edc6beb1f0 100644
--- a/src/3rdparty/masm/yarr/YarrParser.h
+++ b/src/3rdparty/masm/yarr/YarrParser.h
@@ -694,7 +694,8 @@ private:
         ASSERT(!hasError(m_errorCode));
         ASSERT(min <= max);
 
-        if (min == UINT_MAX) {
+        const unsigned quantifyLimit = 1 << 24;
+        if (min > quantifyLimit || (max != quantifyInfinite && max > quantifyLimit)) {
             m_errorCode = ErrorCode::QuantifierTooLarge;
             return;
         }
diff --git a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
index 85cad8f62c..007ad99655 100644
--- a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
+++ b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
@@ -368,6 +368,7 @@ private slots:
     void saveAccumulatorBeforeToInt32();
     void intMinDividedByMinusOne();
     void undefinedPropertiesInObjectWrapper();
+    void hugeRegexpQuantifiers();
 
 private:
 //    static void propertyVarWeakRefCallback(v8::Persistent<v8::Value> object, void* parameter);
@@ -8968,6 +8969,16 @@ void tst_qqmlecmascript::undefinedPropertiesInObjectWrapper()
     QVERIFY(!object.isNull());
 }
 
+void tst_qqmlecmascript::hugeRegexpQuantifiers()
+{
+    QJSEngine engine;
+    QJSValue value = engine.evaluate("/({3072140529})?{3072140529}/");
+
+    // It's a regular expression, but it won't match anything.
+    // The RegExp compiler also shouldn't crash.
+    QVERIFY(value.isRegExp());
+}
+
 QTEST_MAIN(tst_qqmlecmascript)
 
 #include "tst_qqmlecmascript.moc"