RegExp parsing fails on character classes which contain a match for NUL character

Question

RegExp parsing fails on character classes which contain a match for NUL character

Fordi opened this issue 8 years ago · comments

Bryan Elliott commented 8 years ago

~~Attached jslint.js (zipped)~~
~~jslint.js.zip~~

Version: ea633dd

Steps to reproduce:
- Check out clean v7: git clone https://github.com/cesanta/v7.git
- Build v7 standalone: make v7 'V7_FLAGS+=-DV7_LARGE_AST'
- ~~Run jslint.js: ./v7 ../jslint.js~~
- Run ./v7 -e '/[\x00]/'
Expected: About ~~350~~ 88ms wait, no output, no errors
Actual: 35 4ms wait, no output, following error:

Exec error [bilded/fixture/jslint.js]: "Invalid regex"
undefined

Bryan Elliott · Answer 1 · Fri Jul 01 2016 04:10:51 GMT+0800 (China Standard Time)

Tracked down the offending regexp:

var rx_unsafe = /[\u0000-\u001f\u007f-\u009f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/;

Can get the same result with ./v7 -e '/[\x00]/'

Updating ticket title to reflect real bug.

Bryan Elliott · Answer 2 · Fri Jul 01 2016 04:28:24 GMT+0800 (China Standard Time)

I was able to locate the error message, and piece out that slre_compile is returning SLRE_MALFORMED_CHARSET, which implies to me that the escapes are getting preprocessed somewhere? I don't know how to run a debugger in C, so that's about as far as I got, since I got no stack.

goniz · Answer 3 · Fri Jul 01 2016 04:33:38 GMT+0800 (China Standard Time)

I've encountered this today as well..
this code seems to be present in pure js json parsers as well and gets broken by this issue.

Bryan Elliott · Answer 4 · Fri Jul 01 2016 04:58:04 GMT+0800 (China Standard Time)

Seems to come down to the fact that "Rune" is a uint_16 and slre_env uses slre_env->curr_rune == 0 as an error flag.

Bryan Elliott · Answer 5 · Fri Jul 01 2016 05:07:33 GMT+0800 (China Standard Time)

Another RX that throws SLRE_MALFORMED_CHARSET:

/[`\\]/