Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(859)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/parser.cc

Issue 21078: RegExp parser: Fixed unchecked numeric overflow bug. (Closed)
Patch Set: Created 11 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | test/mjsunit/regexp.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2006-2008 the V8 project authors. All rights reserved. 1 // Copyright 2006-2008 the V8 project authors. All rights reserved.
2 // Redistribution and use in source and binary forms, with or without 2 // Redistribution and use in source and binary forms, with or without
3 // modification, are permitted provided that the following conditions are 3 // modification, are permitted provided that the following conditions are
4 // met: 4 // met:
5 // 5 //
6 // * Redistributions of source code must retain the above copyright 6 // * Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer. 7 // notice, this list of conditions and the following disclaimer.
8 // * Redistributions in binary form must reproduce the above 8 // * Redistributions in binary form must reproduce the above
9 // copyright notice, this list of conditions and the following 9 // copyright notice, this list of conditions and the following
10 // disclaimer in the documentation and/or other materials provided 10 // disclaimer in the documentation and/or other materials provided
(...skipping 3920 matching lines...) Expand 10 before | Expand all | Expand 10 after
3931 } 3931 }
3932 *index_out = value; 3932 *index_out = value;
3933 return true; 3933 return true;
3934 } 3934 }
3935 3935
3936 3936
3937 // QuantifierPrefix :: 3937 // QuantifierPrefix ::
3938 // { DecimalDigits } 3938 // { DecimalDigits }
3939 // { DecimalDigits , } 3939 // { DecimalDigits , }
3940 // { DecimalDigits , DecimalDigits } 3940 // { DecimalDigits , DecimalDigits }
3941 //
3942 // Returns true if parsing succeeds, and set the min_out and max_out
3943 // values. Values are set to RegExpTree::kInfinity if they overflow.
3941 bool RegExpParser::ParseIntervalQuantifier(int* min_out, int* max_out) { 3944 bool RegExpParser::ParseIntervalQuantifier(int* min_out, int* max_out) {
3942 ASSERT_EQ(current(), '{'); 3945 ASSERT_EQ(current(), '{');
3943 int start = position(); 3946 int start = position();
3944 Advance(); 3947 Advance();
3945 int min = 0; 3948 int min = 0;
3946 if (!IsDecimalDigit(current())) { 3949 if (!IsDecimalDigit(current())) {
3947 Reset(start); 3950 Reset(start);
3948 return false; 3951 return false;
3949 } 3952 }
3950 while (IsDecimalDigit(current())) { 3953 while (IsDecimalDigit(current())) {
3951 min = 10 * min + (current() - '0'); 3954 int next = current() - '0';
3955 if (min > (RegExpTree::kInfinity - next) / 10) {
3956 // Overflow. Skip past remaining decimal digits and return -1.
3957 do { Advance(); } while (IsDecimalDigit(current()));
Erik Corry 2009/02/05 11:59:36 Does this correctly handle hitting the end of the
Lasse Reichstein 2009/02/05 12:54:41 Yes. Reading current() at end of input is allowed.
3958 min = RegExpTree::kInfinity;
3959 break;
3960 }
3961 min = 10 * min + next;
3952 Advance(); 3962 Advance();
3953 } 3963 }
3954 int max = 0; 3964 int max = 0;
3955 if (current() == '}') { 3965 if (current() == '}') {
3956 max = min; 3966 max = min;
3957 Advance(); 3967 Advance();
3958 } else if (current() == ',') { 3968 } else if (current() == ',') {
3959 Advance(); 3969 Advance();
3960 if (current() == '}') { 3970 if (current() == '}') {
3961 max = RegExpTree::kInfinity; 3971 max = RegExpTree::kInfinity;
3962 Advance(); 3972 Advance();
3963 } else { 3973 } else {
3964 while (IsDecimalDigit(current())) { 3974 while (IsDecimalDigit(current())) {
3965 max = 10 * max + (current() - '0'); 3975 int next = current() - '0';
3976 if (max > (RegExpTree::kInfinity - next) / 10) {
3977 do { Advance(); } while (IsDecimalDigit(current()));
3978 max = RegExpTree::kInfinity;;
3979 break;
3980 }
3981 max = 10 * max + next;
3966 Advance(); 3982 Advance();
3967 } 3983 }
3968 if (current() != '}') { 3984 if (current() != '}') {
3969 Reset(start); 3985 Reset(start);
3970 return false; 3986 return false;
3971 } 3987 }
3972 Advance(); 3988 Advance();
3973 } 3989 }
3974 } else { 3990 } else {
3975 Reset(start); 3991 Reset(start);
(...skipping 395 matching lines...) Expand 10 before | Expand all | Expand 10 after
4371 start_position, 4387 start_position,
4372 is_expression); 4388 is_expression);
4373 return result; 4389 return result;
4374 } 4390 }
4375 4391
4376 4392
4377 #undef NEW 4393 #undef NEW
4378 4394
4379 4395
4380 } } // namespace v8::internal 4396 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/regexp.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698