125929 – Crash through integer overflow when regexp quantifiers exceed INT_MAX

Bug 125929 - Crash through integer overflow when regexp quantifiers exceed INT_MAX

Summary: Crash through integer overflow when regexp quantifiers exceed INT_MAX

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:	https://bugzilla.mozilla.org/show_bug...
Keywords:

Depends on:
Blocks:

Reported:	2013-12-18 09:42 PST by Till Schneidereit
Modified:	2013-12-18 09:42 PST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Till Schneidereit 2013-12-18 09:42:29 PST

The testcase in [1] crashes JSC and Safari. We fixed this in the SpiderMonkey import of Yarr by clamping quantifiers to INT_MAX.

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=872971#c4

Format For Printing
- XML
- Clone This Bug
- Top of page