71b9018c47
The integer value denoting the number of captures (and thus the size of the list of captures created in @@replace [0]) can be controlled by the user. This CL ensures we don't overflow and respect Code::kMaxArguments, but note that it is still possible to trigger OOMs through large lists. Bug: chromium:786573 Change-Id: I19c88908c594487818d083b2ba423764ef91eae0 Reviewed-on: https://chromium-review.googlesource.com/779001 Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#49530}
17 lines
556 B
JavaScript
17 lines
556 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
let cnt = 0;
|
|
let reg = /./g;
|
|
reg.exec = () => {
|
|
// Note: it's still possible to trigger OOM by passing huge values here, since
|
|
// the spec requires building a list of all captures in
|
|
// https://tc39.github.io/ecma262/#sec-regexp.prototype-@@replace
|
|
if (cnt++ == 0) return {length: 2 ** 16};
|
|
cnt = 0;
|
|
return null;
|
|
};
|
|
|
|
assertThrows(() => ''.replace(reg, () => {}), RangeError);
|