]> git.kaiwu.me - quickjs.git/commitdiff
removed buffer overflows introduced in regexp optimizations
authorFabrice Bellard <fabrice@bellard.org>
Sat, 22 Nov 2025 11:10:55 +0000 (12:10 +0100)
committerFabrice Bellard <fabrice@bellard.org>
Sat, 22 Nov 2025 11:10:55 +0000 (12:10 +0100)
libregexp.c
quickjs.c

index ca711a454964ed949ebbdfd37e5a5816c3df53f9..28f407b7208d0fac5aa6c60ca43199b16b93b9bd 100644 (file)
@@ -2737,7 +2737,7 @@ static intptr_t lre_exec_backtrack(REExecContext *s, uint8_t **capture,
                     if (idx2 >= 0)
                         capture[idx2] = sp[-1].ptr;
                     else
-                        aux_stack[-idx2 + 1] = sp[-1].ptr;
+                        aux_stack[-idx2 - 1] = sp[-1].ptr;
                     sp -= 2;
                 }
                 
@@ -2794,7 +2794,7 @@ static intptr_t lre_exec_backtrack(REExecContext *s, uint8_t **capture,
                     if (idx2 >= 0)
                         capture[idx2] = sp[-1].ptr;
                     else
-                        aux_stack[-idx2 + 1] = sp[-1].ptr;
+                        aux_stack[-idx2 - 1] = sp[-1].ptr;
                     sp -= 2;
                 }
                 pc = sp[-3].ptr;
index f91bc123bd0210a0f0a10d01ab0aaaadcb911bcd..2fcd29ad1febbb18cf8ef094f9e3d3c19b31d6e1 100644 (file)
--- a/quickjs.c
+++ b/quickjs.c
@@ -18022,7 +18022,7 @@ static JSValue JS_CallInternal(JSContext *caller_ctx, JSValueConst func_obj,
             {
                 sp[-2] = JS_NewRegexp(ctx, sp[-2], sp[-1]);
                 sp--;
-                if (JS_IsException(sp[-2]))
+                if (JS_IsException(sp[-1]))
                     goto exception;
             }
             BREAK;