Validate opcodes in lre_byte_swap

Fixes: #1376

Check that opcode bytes are < REOP_COUNT before indexing into the
reopcode_info array.

Also change lre_byte_swap to return int (-1 on error, 0 on success)
instead of aborting, and handle the error gracefully.

Author: saghul

libregexp.c

@@ -2554,14 +2554,14 @@ const char *lre_get_groupnames(const uint8_t *bc_buf)
     return (const char *)(bc_buf + RE_HEADER_LEN + re_bytecode_len);
 }
 
-void lre_byte_swap(uint8_t *buf, size_t len, bool is_byte_swapped)
+int lre_byte_swap(uint8_t *buf, size_t len, bool is_byte_swapped)
 {
     uint8_t *p, *pe;
     uint32_t n, r, nw;
 
     p = buf;
     if (len < RE_HEADER_LEN)
-        abort();
+        return -1;
 
     // format is:
     //  <header>
@@ -2576,12 +2576,14 @@ void lre_byte_swap(uint8_t *buf, size_t len, bool is_byte_swapped)
     if (is_byte_swapped)
         n = bswap32(n);
     if (n > len - RE_HEADER_LEN)
-        abort();
+        return -1;
 
     p = &buf[RE_HEADER_LEN];
     pe = &p[n];
 
     while (p < pe) {
+        if (*p >= REOP_COUNT)
+            return -1;
         n = reopcode_info[*p].size;
         switch (n) {
         case 1:
@@ -2622,10 +2624,11 @@ void lre_byte_swap(uint8_t *buf, size_t len, bool is_byte_swapped)
             inplace_bswap32(&p[13]);
             break;
         default:
-            abort();
+            return -1;
         }
         p = &p[n];
     }
+    return 0;
 }
 
 #ifdef TEST

libregexp.h

@@ -60,7 +60,7 @@ int lre_exec(uint8_t **capture,
 int lre_parse_escape(const uint8_t **pp, int allow_utf16);
 bool lre_is_space(int c);
 
-void lre_byte_swap(uint8_t *buf, size_t len, bool is_byte_swapped);
+int lre_byte_swap(uint8_t *buf, size_t len, bool is_byte_swapped);
 
 /* must be provided by the user */
 bool lre_check_stack_overflow(void *opaque, size_t alloca_size);

lre-test.c

@@ -45,8 +45,29 @@ static void oob_save_index(void)
     assert(ret < 0);
 }
 
+// https://github.com/quickjs-ng/quickjs/issues/1376
+static void invalid_opcode_byte_swap(void)
+{
+    // Bytecode with an opcode byte >= REOP_COUNT triggers an OOB read
+    // of the reopcode_info array in lre_byte_swap. Simulate the real
+    // big-endian deserialization path (is_byte_swapped=true) which is
+    // how JS_ReadRegExp calls it. The bytecode_len is stored as
+    // little-endian on disk, so it appears byte-swapped to a BE reader.
+    uint8_t bc[] = {
+        0x00, 0x00,              // RE_HEADER_FLAGS = 0
+        0x01,                    // RE_HEADER_CAPTURE_COUNT = 1
+        0x00,                    // RE_HEADER_STACK_SIZE = 0
+        0x00, 0x00, 0x00, 0x01, // RE_HEADER_BYTECODE_LEN = 1 (big-endian / byte-swapped)
+        0x1E,                    // opcode 30 >= REOP_COUNT (invalid)
+    };
+
+    int ret = lre_byte_swap(bc, sizeof(bc), /*is_byte_swapped*/true);
+    assert(ret < 0);
+}
+
 int main(void)
 {
     oob_save_index();
+    invalid_opcode_byte_swap();
     return 0;
 }

quickjs.c

@@ -37314,13 +37314,20 @@ static int JS_WriteRegExp(BCWriterState *s, JSRegExp regexp)
 
     JS_WriteString(s, regexp.pattern);
 
-    if (is_be())
-        lre_byte_swap(str8(bc), bc->len, /*is_byte_swapped*/false);
+    if (is_be()) {
+        if (lre_byte_swap(str8(bc), bc->len, /*is_byte_swapped*/false)) {
+        fail:
+            JS_ThrowInternalError(s->ctx, "regex byte swap failed");
+            return -1;
+        }
+    }
 
     JS_WriteString(s, bc);
 
-    if (is_be())
-        lre_byte_swap(str8(bc), bc->len, /*is_byte_swapped*/true);
+    if (is_be()) {
+        if (lre_byte_swap(str8(bc), bc->len, /*is_byte_swapped*/true))
+            goto fail;
+    }
 
     return 0;
 }
@@ -38577,8 +38584,13 @@ static JSValue JS_ReadRegExp(BCReaderState *s)
         return JS_ThrowInternalError(ctx, "bad regexp bytecode");
     }
 
-    if (is_be())
-        lre_byte_swap(str8(bc), bc->len, /*is_byte_swapped*/true);
+    if (is_be()) {
+        if (lre_byte_swap(str8(bc), bc->len, /*is_byte_swapped*/true)) {
+            js_free_string(ctx->rt, pattern);
+            js_free_string(ctx->rt, bc);
+            return JS_ThrowInternalError(ctx, "bad regexp bytecode");
+        }
+    }
 
     return js_regexp_constructor_internal(ctx, JS_UNDEFINED,
                                           JS_MKPTR(JS_TAG_STRING, pattern),