Validate save index in lre_exec_backtrack

Fixes: #1375

Replace assert() with runtime check for REOP_save_start/REOP_save_end/
REOP_save_reset capture indices.

Also add lre-test with a test for this issue, and the starting point for
more lre tests.

Author: saghul

.github/workflows/ci.yml

@@ -169,6 +169,10 @@ jobs:
         run: |
           ./build/api-test
 
+      - name: test lre
+        run: |
+          ./build/lre-test
+
   windows-msvc:
     runs-on: ${{ matrix.config.os }}
     strategy:
@@ -205,6 +209,9 @@ jobs:
       - name: test api
         run: |
           build\${{matrix.config.buildType}}\api-test.exe
+      - name: test lre
+        run: |
+          build\${{matrix.config.buildType}}\lre-test.exe
       - name: Set up Visual Studio shell
         uses: egor-tensin/vs-shell@v2
         with:
@@ -245,6 +252,9 @@ jobs:
       - name: test api
         run: |
           build\${{matrix.buildType}}\api-test.exe
+      - name: test lre
+        run: |
+          build\${{matrix.buildType}}\lre-test.exe
 
   windows-ninja:
     runs-on: windows-latest
@@ -277,6 +287,9 @@ jobs:
       - name: test api
         run: |
           build\api-test.exe
+      - name: test lre
+        run: |
+          build\lre-test.exe
 
   windows-sdk:
     runs-on: windows-latest
@@ -310,6 +323,9 @@ jobs:
       - name: test api
         run: |
           build\${{matrix.buildType}}\api-test.exe
+      - name: test lre
+        run: |
+          build\${{matrix.buildType}}\lre-test.exe
 
   windows-mingw:
     runs-on: windows-latest
@@ -364,6 +380,9 @@ jobs:
     - name: test api
       run: |
         ./build/api-test
+    - name: test lre
+      run: |
+        ./build/lre-test
   windows-mingw-shared:
     runs-on: windows-latest
     defaults:
@@ -457,6 +476,10 @@ jobs:
         run: |
           ./build/api-test
 
+      - name: test lre
+        run: |
+          ./build/lre-test
+
   openbsd:
     runs-on: ubuntu-latest
     steps:

CMakeLists.txt

@@ -435,6 +435,13 @@ add_executable(api-test
 target_compile_definitions(api-test PRIVATE ${qjs_defines})
 target_link_libraries(api-test PRIVATE qjs)
 
+add_executable(lre-test
+    lre-test.c
+    libregexp.c
+    libunicode.c
+)
+target_compile_definitions(lre-test PRIVATE ${qjs_defines})
+
 # Unicode generator
 #
 

libregexp.c

@@ -2250,7 +2250,8 @@ static intptr_t lre_exec_backtrack(REExecContext *s, uint8_t **capture,
         case REOP_save_start:
         case REOP_save_end:
             val = *pc++;
-            assert(val < s->capture_count);
+            if (val >= s->capture_count)
+                return LRE_RET_BYTECODE_ERROR;
             capture[2 * val + opcode - REOP_save_start] = (uint8_t *)cptr;
             break;
         case REOP_save_reset:
@@ -2259,7 +2260,8 @@ static intptr_t lre_exec_backtrack(REExecContext *s, uint8_t **capture,
                 val = pc[0];
                 val2 = pc[1];
                 pc += 2;
-                assert(val2 < s->capture_count);
+                if (val2 >= s->capture_count)
+                    return LRE_RET_BYTECODE_ERROR;
                 while (val <= val2) {
                     capture[2 * val] = NULL;
                     capture[2 * val + 1] = NULL;

libregexp.h

@@ -43,8 +43,9 @@ extern "C" {
 #define LRE_FLAG_NAMED_GROUPS (1 << 7) /* named groups are present in the regexp */
 #define LRE_FLAG_UNICODE_SETS (1 << 8)
 
-#define LRE_RET_MEMORY_ERROR (-1)
-#define LRE_RET_TIMEOUT      (-2)
+#define LRE_RET_MEMORY_ERROR   (-1)
+#define LRE_RET_TIMEOUT        (-2)
+#define LRE_RET_BYTECODE_ERROR (-3)
 
 uint8_t *lre_compile(int *plen, char *error_msg, int error_msg_size,
                      const char *buf, size_t buf_len, int re_flags,

lre-test.c

@@ -0,0 +1,52 @@
+#ifdef NDEBUG
+#undef NDEBUG
+#endif
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+#include "libregexp.h"
+
+bool lre_check_stack_overflow(void *opaque, size_t alloca_size)
+{
+    return false;
+}
+
+int lre_check_timeout(void *opaque)
+{
+    return 0;
+}
+
+void *lre_realloc(void *opaque, void *ptr, size_t size)
+{
+    if (size == 0) {
+        free(ptr);
+        return NULL;
+    }
+    return realloc(ptr, size);
+}
+
+// https://github.com/quickjs-ng/quickjs/issues/1375
+static void oob_save_index(void)
+{
+    // Bytecode with REOP_save_start index=100, but capture_count=1.
+    // Without validation this causes a heap-buffer-overflow in lre_exec_backtrack.
+    uint8_t bc[] = {
+        0x00, 0x00,              // RE_HEADER_FLAGS = 0
+        0x01,                    // RE_HEADER_CAPTURE_COUNT = 1
+        0x00,                    // RE_HEADER_STACK_SIZE = 0
+        0x04, 0x00, 0x00, 0x00, // RE_HEADER_BYTECODE_LEN = 4 (little-endian)
+        0x05,                    // REOP_any
+        0x0C, 0x64,             // REOP_save_start, index=100
+        0x0B,                    // REOP_match
+    };
+
+    uint8_t *capture[2] = {NULL, NULL};
+    int ret = lre_exec(capture, bc, (const uint8_t *)"a", 0, 1, 0, NULL);
+    assert(ret < 0);
+}
+
+int main(void)
+{
+    oob_save_index();
+    return 0;
+}

meson.build

@@ -521,6 +521,20 @@ if tests.allowed()
     ),
   )
 
+  # LRE test
+  test(
+    'lre',
+    executable(
+      'lre-test',
+      'lre-test.c',
+      'libregexp.c',
+      'libunicode.c',
+
+      c_args: qjs_c_args,
+      build_by_default: false,
+    ),
+  )
+
   # Function.toString() test
   test(
     'function_source',

quickjs.c

@@ -47536,10 +47536,18 @@ static JSValue js_regexp_exec(JSContext *ctx, JSValueConst this_val,
                     goto fail;
             }
         } else {
-            if (rc == LRE_RET_TIMEOUT) {
+            switch(rc) {
+            case LRE_RET_TIMEOUT:
                 JS_ThrowInterrupted(ctx);
-            } else {
+                break;
+            case LRE_RET_MEMORY_ERROR:
                 JS_ThrowInternalError(ctx, "out of memory in regexp execution");
+                break;
+            case LRE_RET_BYTECODE_ERROR:
+                JS_ThrowInternalError(ctx, "corrupted bytecode in regexp execution");
+                break;
+            default:
+                abort();
             }
             goto fail;
         }
@@ -47726,10 +47734,18 @@ static JSValue JS_RegExpDelete(JSContext *ctx, JSValueConst this_val, JSValue ar
                         goto fail;
                 }
             } else {
-                if (ret == LRE_RET_TIMEOUT) {
+                switch(ret) {
+                case LRE_RET_TIMEOUT:
                     JS_ThrowInterrupted(ctx);
-                } else {
+                    break;
+                case LRE_RET_MEMORY_ERROR:
                     JS_ThrowInternalError(ctx, "out of memory in regexp execution");
+                    break;
+                case LRE_RET_BYTECODE_ERROR:
+                    JS_ThrowInternalError(ctx, "corrupted bytecode in regexp execution");
+                    break;
+                default:
+                    abort();
                 }
                 goto fail;
             }