v8/regress-1166138.js at 3466daa7e44c247855c10b884223321336328159 - v8 - Gitea: Git with a cup of tea

AuroraMiddleware/v8

Patrick Thier 3466daa7e4 [regexp] Throw when length of text nodes in alternatives is too large.

Offsets in regular expressions are limited to 16 bits.
It was possible to exceed this limit when emitting greedy loops where
the length of text nodes exceeded 16 bits, resulting in overflowing
offsets.
With this CL we throw a SyntaxError "Regular expression too large" to
prevent this overflow.

Bug: chromium:1166138
Change-Id: Ica624a243bf9827083ff883d9a976f13c8da02e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2629286
Commit-Queue: Patrick Thier <pthier@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72095}

2021-01-14 14:58:04 +00:00

8 lines

292 B

JavaScript

Raw Blame History

 // Copyright 2020 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 let badregexp =  "(?:" +  " ".repeat(32768*2)+  ")*";
 reg = RegExp(badregexp);
 assertThrows(() => reg.test(), SyntaxError);