308836 – JSC crashes when RegExp replace operation overflows string buffer

RESOLVED FIXED308836

JSC crashes when RegExp replace operation overflows string buffer

https://bugs.webkit.org/show_bug.cgi?id=308836

Summary JSC crashes when RegExp replace operation overflows string buffer

anand_srinivasan

Reported 2026-02-27 11:26:39 PST

rdar://171058069 When a RegExp object is executing the 'replace' operation, it constructs the output string in a buffer. If the string exceeds the maximum legal limit for a javascript string, it should throw an out-of-memory error. JSC triggers a controlled crash if the string overflows. To reproduce: Object.__proto__.__proto__[Symbol.replace] = () => {}; function __f_0(__v_5, __v_6) { while (__v_5.length < __v_6) { __v_5 += __v_5; } return __v_5.substring(0, __v_6); } var __v_2 = __f_0("1", 1 << 20); var __v_3 = __f_0("$1", 1 << 16); __v_2.replace(/(.+)/g, __v_3); // crash

Attachments
Add attachment proposed patch, testcase, etc.

anand_srinivasan

Comment 1 2026-02-27 11:42:14 PST

Pull request: https://github.com/WebKit/WebKit/pull/59595

EWS

Comment 2 2026-03-02 12:08:57 PST

Committed 308478@main (e3c1c1295f4a): <https://commits.webkit.org/308478@main> Reviewed commits have been landed. Closing PR #59595 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2026-02-27 11:26 PST

Modified

2026-03-02 12:08 PST History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks