RESOLVED FIXED 251435
[JSC] UAF Yarr::YarrPatternConstructor::atomParenthesesEnd; Yarr::Parser::parseTokens; JSC::Yarr::parse 
https://bugs.webkit.org/show_bug.cgi?id=251435
Summary [JSC] UAF Yarr::YarrPatternConstructor::atomParenthesesEnd; Yarr::Parser::par...
Michael Saboff
Reported 2023-01-31 07:06:09 PST
The following RegExp crashes on an ASAN build: /(?<=a*\1aaaaaaaaaaaaaa>)/ Here is the top 10 frames of the crash: ==986==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000001940 at pc 0x0001174a9d0b bp 0x7ff7b559e5b0 sp 0x7ff7b559e5a8 READ of size 4 at 0x617000001940 thread T0 #0 0x1174a9d0a in JSC::Yarr::YarrPatternConstructor::atomParenthesesEnd()+0xd5a (JavaScriptCore:x86_64+0x51fdd0a) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00) #1 0x11749c306 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parseTokens()+0x736 (JavaScriptCore:x86_64+0x51f0306) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00) #2 0x11749b4f4 in JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor, unsigned char>::parse()+0x44 (JavaScriptCore:x86_64+0x51ef4f4) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00) #3 0x1172ccc19 in JSC::Yarr::ErrorCode JSC::Yarr::parse<JSC::Yarr::YarrPatternConstructor>(JSC::Yarr::YarrPatternConstructor&, WTF::StringView, bool, unsigned int, bool)+0x2f9 (JavaScriptCore:x86_64+0x5020c19) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00) #4 0x1172cc3e6 in JSC::Yarr::YarrPattern::compile(WTF::StringView)+0x136 (JavaScriptCore:x86_64+0x50203e6) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00) #5 0x1172cec5e in JSC::Yarr::YarrPattern::YarrPattern(WTF::StringView, WTF::OptionSet<JSC::Yarr::Flags>, JSC::Yarr::ErrorCode&)+0x10e (JavaScriptCore:x86_64+0x5022c5e) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00) #6 0x1167b6362 in JSC::RegExp::finishCreation(JSC::VM&)+0x162 (JavaScriptCore:x86_64+0x450a362) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00) #7 0x1167b6e1f in JSC::RegExp::createWithoutCaching(JSC::VM&, WTF::String const&, WTF::OptionSet<JSC::Yarr::Flags>)+0x30f (JavaScriptCore:x86_64+0x450ae1f) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00) #8 0x1167b727a in JSC::RegExpCache::lookupOrCreate(WTF::String const&, WTF::OptionSet<JSC::Yarr::Flags>)+0x1fa (JavaScriptCore:x86_64+0x450b27a) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00) #9 0x1140a84de in JSC::RegExpNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*)+0x21e (JavaScriptCore:x86_64+0x1dfc4de) (BuildId: 6cb0b07b97673c9b85344502103804f432000000200000000100000000000e00) [tag] [reply] [−] Comment 1
Attachments
Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2023-01-31 07:06:22 PST
<rdar://104652578>
Michael Saboff
Comment 2 2023-01-31 09:28:29 PST
Pull request: https://github.com/WebKit/WebKit/pull/9385
EWS
Comment 3 2023-01-31 18:53:10 PST
Committed 259657@main (561d0e5534c8): <https://commits.webkit.org/259657@main> Reviewed commits have been landed. Closing PR #9385 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.