Bug 125929

Summary: Crash through integer overflow when regexp quantifiers exceed INT_MAX
Product: WebKit Reporter: Till Schneidereit <till>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://bugzilla.mozilla.org/show_bug.cgi?id=872971

Description Till Schneidereit 2013-12-18 09:42:29 PST 
The testcase in [1] crashes JSC and Safari. We fixed this in the SpiderMonkey import of Yarr by clamping quantifiers to INT_MAX.

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=872971#c4