From 09c4ec32028aff82dcec6f1c74d721f7c6279738 Mon Sep 17 00:00:00 2001
From: Ulf Hermann <ulf.hermann@qt.io>
Date: Mon, 6 Jan 2020 16:02:08 +0100
Subject: V4: Catch error when compiling broken RegExps

Otherwise we try to assign an invalid RegExp object, which crashes.

Change-Id: I85478406524a2a9d7542758caaa1b42b4090bb93
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
---
 src/qml/jsruntime/qv4regexpobject.cpp      |  4 ++--
 tests/auto/qml/qjsengine/tst_qjsengine.cpp | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/qml/jsruntime/qv4regexpobject.cpp b/src/qml/jsruntime/qv4regexpobject.cpp
index c1a42c4afa..f1375e4ca4 100644
--- a/src/qml/jsruntime/qv4regexpobject.cpp
+++ b/src/qml/jsruntime/qv4regexpobject.cpp
@@ -961,8 +961,8 @@ ReturnedValue RegExpPrototype::method_compile(const FunctionObject *b, const Val
         return scope.engine->throwTypeError();
 
     Scoped<RegExpObject> re(scope, scope.engine->regExpCtor()->callAsConstructor(argv, argc));
-
-    r->d()->value.set(scope.engine, re->value());
+    if (re) // Otherwise the regexp constructor should have thrown an exception
+        r->d()->value.set(scope.engine, re->value());
     return Encode::undefined();
 }
 
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index 9f697e5a74..43c931ecf7 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -254,6 +254,7 @@ private slots:
     void triggerBackwardJumpWithDestructuring();
     void arrayConcatOnSparseArray();
     void sortSparseArray();
+    void compileBrokenRegexp();
 
 public:
     Q_INVOKABLE QJSValue throwingCppMethod1();
@@ -5003,6 +5004,22 @@ void tst_QJSEngine::sortSparseArray()
     QVERIFY(value.property(10).isUndefined());
 }
 
+void tst_QJSEngine::compileBrokenRegexp()
+{
+    QJSEngine engine;
+    const auto value = engine.evaluate(
+        "(function() {"
+        "var ret = new RegExp(Array(4097).join("
+        "       String.fromCharCode(58)) + Array(4097).join(String.fromCharCode(480)) "
+        "       + Array(65537).join(String.fromCharCode(5307)));"
+        "return RegExp.prototype.compile.call(ret, 'a','b');"
+        "})();"
+    );
+
+    QVERIFY(value.isError());
+    QCOMPARE(value.toString(), "SyntaxError: Invalid flags supplied to RegExp constructor");
+}
+
 QTEST_MAIN(tst_QJSEngine)
 
 #include "tst_qjsengine.moc"
-- 
cgit v1.2.3