Skip to content

Commit 1a7790f

Browse files
MikeHolmanMikeHolman
committed
[CVE-2019-0648] Edge - ChakraCore OOB read - Individual
1 parent 33c0b97 commit 1a7790f

File tree

1 file changed

+11
-20
lines changed

1 file changed

+11
-20
lines changed

lib/Parser/RegexParser.cpp

Lines changed: 11 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -2493,32 +2493,23 @@ namespace UnifiedRegex
24932493
case 'W':
24942494
return false;
24952495
case 'c':
2496-
if (standardEncodedChars->IsLetter(ECLookahead())) // terminating 0 is not a letter
2496+
if (!standardEncodedChars->IsLetter(ECLookahead())) //Letter set [A-Z, a-z]
2497+
{
2498+
// Fail in unicode mode for non-letter escaped control characters according to 262 Annex-B RegExp grammar spec #prod-annexB-Term
2499+
DeferredFailIfUnicode(JSERR_RegExpInvalidEscape);
2500+
}
2501+
2502+
if (standardEncodedChars->IsWord(ECLookahead())) // word set [A-Z,a-z,0-9,_], terminating 0 is not a word character
24972503
{
24982504
singleton = UTC(Chars<EncodedChar>::CTU(ECLookahead()) % 32);
24992505
ECConsume();
25002506
}
25012507
else
25022508
{
2503-
DeferredFailIfUnicode(JSERR_RegExpInvalidEscape); // Fail in unicode mode for non-letter escaped control characters according to 262 Annex-B RegExp grammar spec #prod-annexB-Term
2504-
2505-
if (!IsEOF())
2506-
{
2507-
EncodedChar ecLookahead = ECLookahead();
2508-
switch (ecLookahead)
2509-
{
2510-
case '-':
2511-
case ']':
2512-
singleton = c;
2513-
break;
2514-
default:
2515-
singleton = UTC(Chars<EncodedChar>::CTU(ecLookahead) % 32);
2516-
ECConsume();
2517-
break;
2518-
}
2519-
}
2520-
else
2521-
singleton = c;
2509+
// If the lookahead is a non-alphanumeric and not an underscore ('_'), then treat '\' and 'c' separately.
2510+
//#sec-regular-expression-patterns-semantics
2511+
ECRevert(1); //Put cursor back at 'c' and treat it as a non-escaped character.
2512+
singleton = '\\';
25222513
}
25232514
return true;
25242515
case 'x':

0 commit comments

Comments
 (0)