Fix stack overflow if executing regex full of hundreds of open brackets (fix #1487)

gfwilliams · gfwilliams · commit 7ef769f4b67a · 2018-09-03T15:11:53.000+01:00
diff --git a/ChangeLog b/ChangeLog
@@ -71,6 +71,7 @@
             Pixl.js: Add Pixl.setLCDPower to allow the LCD to be powered off, more than halving power consumption
             nRF5x: Allow NRF.setScan and NRF.findDevices to take the same search filters NRF.requestDevice does (fix #1496)
             Fix buffer overrun if we have to reallocate a pointer to argument lists when calling a function (fix #1491)
+            Fix stack overflow if executing regex full of hundreds of open brackets (fix #1487)
 
      1v99 : Increase jslMatch error buffer size to handle "UNFINISHED TEMPLATE LITERAL" string (#1426)
             nRF5x: Make FlashWrite cope with flash writes > 4k
diff --git a/src/jsparse.c b/src/jsparse.c
@@ -215,6 +215,7 @@ void jspeiLoadScopesFromVar(JsVar *arr) {
     execInfo.scopes[execInfo.scopeCount++] = jsvLockAgain(arr);
 }
 // -----------------------------------------------
+/// Check that we have enough stack to recurse. Return true if all ok, error if not.
 bool jspCheckStackPosition() {
   if (jsuGetFreeStack() < 512) { // giving us 512 bytes leeway
     jsExceptionHere(JSET_ERROR, "Too much recursion - the stack is about to overflow");
diff --git a/src/jsparse.h b/src/jsparse.h
@@ -29,6 +29,9 @@ bool jspIsConstructor(JsVar *constructor, const char *constructorName);
 /** Get the constructor of the given object, or return 0 if ot found, or not a function */
 JsVar *jspGetConstructor(JsVar *object);
 
+/// Check that we have enough stack to recurse. Return true if all ok, error if not.
+bool jspCheckStackPosition();
+
 /// Create a new built-in object that jswrapper can use to check for built-in functions
 JsVar *jspNewBuiltin(const char *name);
 
diff --git a/src/jswrap_regexp.c b/src/jswrap_regexp.c
@@ -172,10 +172,13 @@ JsVar *matchhere(char *regexp, JsvStringIterator *txtIt, matchInfo info) {
     info.groupStart[info.groups] = jsvStringIteratorGetIndex(txtIt);
     info.groupEnd[info.groups] = info.groupStart[info.groups];
     if (info.groups<MAX_GROUPS) info.groups++;
+    if (!jspCheckStackPosition()) return 0;
     return matchhere(regexp+1, txtIt, info);
   }
   if (regexp[0] == ')') {
-    info.groupEnd[info.groups-1] = jsvStringIteratorGetIndex(txtIt);
+    if (info.groups>0)
+      info.groupEnd[info.groups-1] = jsvStringIteratorGetIndex(txtIt);
+    if (!jspCheckStackPosition()) return 0;
     return matchhere(regexp+1, txtIt, info);
   }
   int charLength;
@@ -219,6 +222,7 @@ JsVar *matchhere(char *regexp, JsvStringIterator *txtIt, matchInfo info) {
   //
   if (jsvStringIteratorHasChar(txtIt) && charMatched) {
     jsvStringIteratorNext(txtIt);
+    if (!jspCheckStackPosition()) return 0;
     return matchhere(regexp+charLength, txtIt, info);
   }
   return 0;

Original file line number	Diff line number	Diff line change
`@@ -215,6 +215,7 @@ void jspeiLoadScopesFromVar(JsVar *arr) {`
`215`	`215`	`execInfo.scopes[execInfo.scopeCount++] = jsvLockAgain(arr);`
`216`	`216`	`}`
`217`	`217`	`// -----------------------------------------------`
	`218`	`+/// Check that we have enough stack to recurse. Return true if all ok, error if not.`
`218`	`219`	`bool jspCheckStackPosition() {`
`219`	`220`	`if (jsuGetFreeStack() < 512) { // giving us 512 bytes leeway`
`220`	`221`	`jsExceptionHere(JSET_ERROR, "Too much recursion - the stack is about to overflow");`