LibRegex: Check backreference index before looking it up

If a backref happens after it's cleared, the slot may be cleared already.
2025-04-22 04:25:13 +00:00 · 2025-04-06 01:56:18 +02:00 · 2025-04-06 01:56:18 +02:00 · 50554e4322
commit 50554e4322
parent fe1962d7fa
2 changed files with 5 additions and 0 deletions
--- a/Libraries/LibRegex/RegexByteCode.cpp
+++ b/Libraries/LibRegex/RegexByteCode.cpp
@ -585,6 +585,9 @@ ALWAYS_INLINE ExecutionResult OpCode_Compare::execute(MatchInput const& input, M
        }
        case CharacterCompareType::Reference: {
            auto reference_number = (size_t)m_bytecode->at(offset++);
+            if (input.match_index >= state.capture_group_matches.size())
+                return ExecutionResult::Failed_ExecuteLowPrioForks;
+
            auto& groups = state.capture_group_matches.at(input.match_index);
            if (groups.size() <= reference_number)
                return ExecutionResult::Failed_ExecuteLowPrioForks;
--- a/Tests/LibRegex/Regex.cpp
+++ b/Tests/LibRegex/Regex.cpp
@ -741,6 +741,8 @@ TEST_CASE(ECMA262_match)
        // Tests nested lookahead with alternation - verifies proper save/restore stack cleanup
        { "a(?=.(?=c)|b)b"sv, "ab"sv, true },
        { "(?=)(?=\\d)"sv, "smart"sv, false },
+        // Backrefs are cleared after lookaheads, the indices should be checked before lookup.
+        { "(?!(b))\\1"sv, "a"sv, false },
    };

    for (auto& test : tests) {