stack-overflow in third_party/yarr/YarrPattern.cpp

Question

stack-overflow in third_party/yarr/YarrPattern.cpp

Ye0nny opened this issue 10 months ago · 0 comments

Escargot

OS: Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Revision : bd95de3

Build Steps

cmake -DCMAKE_CXX_FLAGS=-fsanitize=address -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinja

Describe the bug
Stack overflow

Test case

testcase

var a = " " ; 
for ( var e = 0 ; e < 1000.0 ; e ++ ) { a += " a? " ; } " test ". match ( RegExp ( a ) ) ; 
var r = " " ; 
for ( var e = 0 ; e < 64 ; e ++ ) { 
	r += " ( a? | b? | c? | d? | e? | f? | g? ) " ; 
} 
" test ". match ( RegExp ( RegExp ( r ) ) ) ; 
Math. fround ( 1e3 ) ; 
var t = " a " ; 
for ( var e = 0 ; e < 100000.0 ; e ++ ) { 
	t = " ( " + t + " ) a " ; 
} 
" test ". match ( RegExp ( t ) ) ;

// poc.js
var t = " a " ;
for ( var e = 0 ; e < 100000.0 ; e ++ ) {
        t = " ( " + t + " ) a " ;
}
" test ". match ( RegExp ( t ) ) ;

Execution steps & Output

$ ./escargot poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3488637==ERROR: AddressSanitizer: stack-overflow on address 0x7ffed286ffe8 (pc 0x55cc14280258 bp 0x7ffed28700f0 sp 0x7ffed286ffc0 T0)
    #0 0x55cc14280257 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:798
    #1 0x55cc142817c3 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets(JSC::Yarr::PatternDisjunction*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:929
    #2 0x55cc14280c9b in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:863
    #3 0x55cc142817c3 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets(JSC::Yarr::PatternDisjunction*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:929
    #4 0x55cc14280c9b in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:863
    #5 0x55cc142817c3 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets(JSC::Yarr::PatternDisjunction*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:929
    #6 0x55cc14280c9b in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:863
    #7 0x55cc142817c3 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets(JSC::Yarr::PatternDisjunction*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:929
    #8 0x55cc14280c9b in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:863
    ...
    ...
    #238 0x55cc14280c9b in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:863
    #239 0x55cc142817c3 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets(JSC::Yarr::PatternDisjunction*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:929
    #240 0x55cc14280c9b in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:863
    #241 0x55cc142817c3 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets(JSC::Yarr::PatternDisjunction*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:929
    #242 0x55cc14280c9b in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:863
    #243 0x55cc142817c3 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets(JSC::Yarr::PatternDisjunction*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:929
    #244 0x55cc14280c9b in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:863
    #245 0x55cc142817c3 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets(JSC::Yarr::PatternDisjunction*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:929
    #246 0x55cc14280c9b in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:863
    #247 0x55cc142817c3 in JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets(JSC::Yarr::PatternDisjunction*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:929
    #248 0x55cc14280c9b in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&) third_party/yarr/YarrPattern.cpp:863

SUMMARY: AddressSanitizer: stack-overflow third_party/yarr/YarrPattern.cpp:798 in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets(JSC::Yarr::PatternAlternative*, unsigned int, unsigned int, unsigned int&)
==3488637==ABORTING

when executed in release mode

Output

Segmentation fault

Expected behavior
We would expect to detect an out of memory.

Credits: @Ye0nny, @EJueon