RegExp parsing fails on character classes which contain a match for NUL character
Fordi opened this issue · comments
Attached jslint.js (zipped)
jslint.js.zip
Version: ea633dd
-
Steps to reproduce:
- Check out clean v7: git clone https://github.com/cesanta/v7.git
- Build v7 standalone: make v7 'V7_FLAGS+=-DV7_LARGE_AST'
Run jslint.js: ./v7 ../jslint.js- Run ./v7 -e '/[\x00]/'
-
Expected: About
35088ms wait, no output, no errors -
Actual:
354ms wait, no output, following error:Exec error [bilded/fixture/jslint.js]: "Invalid regex"
undefined
Tracked down the offending regexp:
var rx_unsafe = /[\u0000-\u001f\u007f-\u009f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/;
Can get the same result with ./v7 -e '/[\x00]/'
Updating ticket title to reflect real bug.
I was able to locate the error message, and piece out that slre_compile is returning SLRE_MALFORMED_CHARSET, which implies to me that the escapes are getting preprocessed somewhere? I don't know how to run a debugger in C, so that's about as far as I got, since I got no stack.
I've encountered this today as well..
this code seems to be present in pure js json parsers as well and gets broken by this issue.
Seems to come down to the fact that "Rune" is a uint_16 and slre_env uses slre_env->curr_rune == 0 as an error flag.
Another RX that throws SLRE_MALFORMED_CHARSET:
/[`\\]/