From ac0d313ab15aa78c444d00ed6a1a202a1351dfa1 Mon Sep 17 00:00:00 2001
From: Ulf Hermann <ulf.hermann@qt.io>
Date: Tue, 30 Apr 2019 13:29:45 +0200
Subject: Yarr: Reject quantifiers larger than 16M

Nobody needs those and we run into integer overflows later on if we
accept them.

Fixes: QTBUG-74048
Change-Id: Ib8ccd05e4bd6f662c38fbe95bf1350f81982e1b8
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
---
 tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'tests')

diff --git a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
index 85cad8f62c..007ad99655 100644
--- a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
+++ b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
@@ -368,6 +368,7 @@ private slots:
     void saveAccumulatorBeforeToInt32();
     void intMinDividedByMinusOne();
     void undefinedPropertiesInObjectWrapper();
+    void hugeRegexpQuantifiers();
 
 private:
 //    static void propertyVarWeakRefCallback(v8::Persistent<v8::Value> object, void* parameter);
@@ -8968,6 +8969,16 @@ void tst_qqmlecmascript::undefinedPropertiesInObjectWrapper()
     QVERIFY(!object.isNull());
 }
 
+void tst_qqmlecmascript::hugeRegexpQuantifiers()
+{
+    QJSEngine engine;
+    QJSValue value = engine.evaluate("/({3072140529})?{3072140529}/");
+
+    // It's a regular expression, but it won't match anything.
+    // The RegExp compiler also shouldn't crash.
+    QVERIFY(value.isRegExp());
+}
+
 QTEST_MAIN(tst_qqmlecmascript)
 
 #include "tst_qqmlecmascript.moc"
-- 
cgit v1.2.3