71b9018c47
The integer value denoting the number of captures (and thus the size of the list of captures created in @@replace [0]) can be controlled by the user. This CL ensures we don't overflow and respect Code::kMaxArguments, but note that it is still possible to trigger OOMs through large lists. Bug: chromium:786573 Change-Id: I19c88908c594487818d083b2ba423764ef91eae0 Reviewed-on: https://chromium-review.googlesource.com/779001 Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#49530}
13 lines
291 B
JavaScript
13 lines
291 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
let i = 0;
|
|
let re = /./g;
|
|
re.exec = () => {
|
|
if (i++ == 0) return { length: 2 ** 16 };
|
|
return null;
|
|
};
|
|
|
|
"".replace(re);
|