[regexp] Fix yet another invalid use related to range arrays

`Equals` did not properly account for arrays with odd lengths. Bug: v8:11069 Change-Id: I3264ebef248adcecd59b902bf1521cfddbd5a69d Fixed: chromium:1267674 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3264218 Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#77756}
2021-11-08 09:35:29 +01:00 · 2021-11-08 09:35:29 +01:00 · c9d23462a5
commit c9d23462a5
parent 3a858a91fa
2 changed files with 11 additions and 4 deletions
--- a/src/regexp/regexp-macro-assembler.cc
+++ b/src/regexp/regexp-macro-assembler.cc
@ -130,13 +130,13 @@ int RangeArrayLengthFor(const ZoneList<CharacterRange>* ranges) {
 }

 bool Equals(const ZoneList<CharacterRange>* lhs, const Handle<ByteArray>& rhs) {
-  if (rhs->length() != RangeArrayLengthFor(lhs) * kUInt16Size) return false;
+  DCHECK_EQ(rhs->length() % kUInt16Size, 0);  // uc16 elements.
+  const int rhs_length = rhs->length() / kUInt16Size;
+  if (rhs_length != RangeArrayLengthFor(lhs)) return false;
  for (int i = 0; i < lhs->length(); i++) {
    const CharacterRange& r = lhs->at(i);
    if (rhs->get_uint16(i * 2 + 0) != r.from()) return false;
-    if (i == lhs->length() - 1 && r.to() == kMaxUInt16) {
-      break;  // Avoid overflow by leaving the last range open-ended.
-    }
+    if (i * 2 + 1 == rhs_length) break;
    if (rhs->get_uint16(i * 2 + 1) != r.to() + 1) return false;
  }
  return true;
--- a/test/mjsunit/regress/regress-1267674.js
+++ b/test/mjsunit/regress/regress-1267674.js
@ -0,0 +1,7 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --no-regexp-tier-up
+
+assertNull(/[PxdsuJ\W]+\x00/imsy.exec());