[regexp] Revert to ZoneList usage in @@replace

src/runtime/runtime-regexp.cc

Index: src/runtime/runtime-regexp.cc
diff --git a/src/runtime/runtime-regexp.cc b/src/runtime/runtime-regexp.cc
index c887d459e76dfc5a8d1c23285e4d2f3a8aa8c0c9..df9f52aa59e937c9e25908ad02baae5cb2662c8c 100644
--- a/src/runtime/runtime-regexp.cc
+++ b/src/runtime/runtime-regexp.cc
@@ -1046,7 +1046,7 @@ class VectorBackedMatch : public String::Match {
  public:
   VectorBackedMatch(Isolate* isolate, Handle<String> subject,
                     Handle<String> match, int match_position,
-                    std::vector<Handle<Object>>* captures,
+                    ZoneVector<Handle<Object>>* captures,
                     Handle<Object> groups_obj)
       : isolate_(isolate),
         match_(match),
@@ -1105,7 +1105,7 @@ class VectorBackedMatch : public String::Match {
   Handle<String> subject_;
   Handle<String> match_;
   const int match_position_;
-  std::vector<Handle<Object>>* captures_;
+  ZoneVector<Handle<Object>>* captures_;
 
   bool has_named_captures_;
   Handle<JSReceiver> groups_obj_;
@@ -1839,8 +1839,8 @@ RUNTIME_FUNCTION(Runtime_RegExpReplace) {
     const uint32_t position =
         std::min(PositiveNumberToUint32(*position_obj), length);
 
-    std::vector<Handle<Object>> captures;
-    captures.reserve(captures_length);
+    // Do not reserve capacity since captures_length is user-controlled.
+    ZoneVector<Handle<Object>> captures(&zone);
 
     for (int n = 0; n < captures_length; n++) {
       Handle<Object> capture;