Add RegExp recursion depth limit

The regexp engine does not have any recursion depth check, thus it can cause problems with various regexps. Added a new build option `--regexp-recursion-limit N` whose
default value is 1000. For unlimited recursion depth use 0. Also added a build-option-test for the unlimited recursion depth.

Fixes #2448

JerryScript-DCO-1.0-Signed-off-by: Istvan Miklos imiklos2@inf.u-szeged.hu

Author: Istvan Miklos

jerry-core/CMakeLists.txt

@@ -94,6 +94,7 @@ message(STATUS "FEATURE_SYSTEM_ALLOCATOR    " ${FEATURE_SYSTEM_ALLOCATOR})
 message(STATUS "FEATURE_VALGRIND            " ${FEATURE_VALGRIND})
 message(STATUS "FEATURE_VM_EXEC_STOP        " ${FEATURE_VM_EXEC_STOP})
 message(STATUS "MEM_HEAP_SIZE_KB            " ${MEM_HEAP_SIZE_KB})
+message(STATUS "REGEXP_RECURSION_LIMIT      " ${REGEXP_RECURSION_LIMIT_N})
 
 # Include directories
 set(INCLUDE_CORE_PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/include")
@@ -242,6 +243,11 @@ if(FEATURE_REGEXP_STRICT_MODE)
   set(DEFINES_JERRY ${DEFINES_JERRY} ENABLE_REGEXP_STRICT_MODE)
 endif()
 
+# RegExp recursion depth limit
+if(REGEXP_RECURSION_LIMIT_N)
+  set(DEFINES_JERRY ${DEFINES_JERRY} REGEXP_RECURSION_LIMIT=${REGEXP_RECURSION_LIMIT_N})
+endif()
+
 # RegExp byte-code dumps
 if(FEATURE_REGEXP_DUMP)
   set(DEFINES_JERRY ${DEFINES_JERRY} REGEXP_DUMP_BYTE_CODE)

jerry-core/ecma/operations/ecma-regexp-object.c

@@ -364,6 +364,14 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
                  const lit_utf8_byte_t *str_p, /**< input string pointer */
                  const lit_utf8_byte_t **out_str_p) /**< [out] matching substring iterator */
 {
+#ifdef REGEXP_RECURSION_LIMIT
+  if (re_ctx_p->recursion_depth >= REGEXP_RECURSION_LIMIT)
+  {
+    ecma_value_t ret_value = ecma_raise_range_error ("RegExp executor recursion limit is exceeded.");
+    return ret_value;
+  }
+  ++re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
   const lit_utf8_byte_t *str_curr_p = str_p;
 
   while (true)
@@ -535,6 +543,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (!sub_str_p)
           {
             match_value = re_match_regexp (re_ctx_p, bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+            --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
             if (ECMA_IS_VALUE_ERROR (match_value))
             {
               break;
@@ -553,6 +564,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           {
             JERRY_TRACE_MSG ("match\n");
             match_value = re_match_regexp (re_ctx_p, bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+            --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
           }
           else
           {
@@ -685,6 +699,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           uint32_t offset = re_get_value (&bc_p);
           const lit_utf8_byte_t *sub_str_p = NULL;
           ecma_value_t match_value = re_match_regexp (re_ctx_p, bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+          --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
           if (ecma_is_value_true (match_value))
           {
@@ -770,6 +787,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
 
         /* Try to match after the close paren if zero is allowed */
         ecma_value_t match_value = re_match_regexp (re_ctx_p, bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+        --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
         if (ecma_is_value_true (match_value))
         {
@@ -828,6 +848,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         {
           offset = re_get_value (&bc_p);
           ecma_value_t match_value = re_match_regexp (re_ctx_p, bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+          --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
           if (ecma_is_value_true (match_value))
           {
@@ -852,6 +875,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         {
           JERRY_ASSERT (end_bc_p);
           ecma_value_t match_value = re_match_regexp (re_ctx_p, end_bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+          --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
           if (ecma_is_value_true (match_value))
           {
@@ -906,6 +932,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
 
           const lit_utf8_byte_t *sub_str_p = NULL;
           ecma_value_t match_value = re_match_regexp (re_ctx_p, bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+          --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
           if (ecma_is_value_true (match_value))
           {
@@ -975,6 +1004,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           old_start_p = re_ctx_p->saved_p[start_idx];
           re_ctx_p->saved_p[start_idx] = str_curr_p;
           ecma_value_t match_value = re_match_regexp (re_ctx_p, bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+          --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
           if (ecma_is_value_true (match_value))
           {
@@ -999,6 +1031,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
             re_ctx_p->saved_p[start_idx] = str_curr_p;
 
             match_value = re_match_regexp (re_ctx_p, bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+            --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
             if (ecma_is_value_true (match_value))
             {
@@ -1020,6 +1055,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         {
           /* Try to match the rest of the bytecode. */
           ecma_value_t match_value = re_match_regexp (re_ctx_p, old_bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+          --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
           if (ecma_is_value_true (match_value))
           {
@@ -1055,6 +1093,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (num_of_iter >= min)
           {
             ecma_value_t match_value = re_match_regexp (re_ctx_p, bc_p + offset, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+            --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
             if (ecma_is_value_true (match_value))
             {
@@ -1068,6 +1109,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           }
 
           ecma_value_t match_value = re_match_regexp (re_ctx_p, bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+          --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
           if (!ecma_is_value_true (match_value))
           {
@@ -1103,6 +1147,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         while (num_of_iter < max)
         {
           ecma_value_t match_value = re_match_regexp (re_ctx_p, bc_p, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+          --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
           if (!ecma_is_value_true (match_value))
           {
@@ -1121,6 +1168,9 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         while (num_of_iter >= min)
         {
           ecma_value_t match_value = re_match_regexp (re_ctx_p, bc_p + offset, str_curr_p, &sub_str_p);
+#ifdef REGEXP_RECURSION_LIMIT
+          --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
           if (ecma_is_value_true (match_value))
           {
@@ -1232,6 +1282,9 @@ ecma_regexp_exec_helper (ecma_value_t regexp_value, /**< RegExp object */
   re_ctx.input_start_p = input_curr_p;
   const lit_utf8_byte_t *input_end_p = re_ctx.input_start_p + input_buffer_size;
   re_ctx.input_end_p = input_end_p;
+#ifdef REGEXP_RECURSION_LIMIT
+  re_ctx.recursion_depth = 0;
+#endif /* REGEXP_RECURSION_LIMIT */
 
   /* 1. Read bytecode header and init regexp matcher context. */
   re_ctx.flags = bc_p->header.status_flags;

jerry-core/ecma/operations/ecma-regexp-object.h

@@ -46,6 +46,9 @@ typedef struct
   const lit_utf8_byte_t **saved_p;      /**< saved result string pointers, ECMA 262 v5, 15.10.2.1, State */
   const lit_utf8_byte_t *input_start_p; /**< start of input pattern string */
   const lit_utf8_byte_t *input_end_p;   /**< end of input pattern string */
+#ifdef REGEXP_RECURSION_LIMIT
+  uint32_t recursion_depth;             /**< recursion depth limit */
+#endif /* REGEXP_RECURSION_LIMIT */
   uint32_t num_of_captures;             /**< number of capture groups */
   uint32_t num_of_non_captures;         /**< number of non-capture groups */
   uint32_t *num_of_iterations_p;        /**< number of iterations */

jerry-core/parser/regexp/re-compiler.c

@@ -249,6 +249,14 @@ re_parse_alternative (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context
   uint32_t idx;
   re_bytecode_ctx_t *bc_ctx_p = re_ctx_p->bytecode_ctx_p;
   ecma_value_t ret_value = ECMA_VALUE_EMPTY;
+#ifdef REGEXP_RECURSION_LIMIT
+  if (re_ctx_p->recursion_depth >= REGEXP_RECURSION_LIMIT)
+  {
+    ret_value = ecma_raise_range_error ("RegExp executor recursion limit is exceeded.");
+    return ret_value;
+  }
+  ++re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
   uint32_t alterantive_offset = re_get_bytecode_length (re_ctx_p->bytecode_ctx_p);
   bool should_loop = true;
@@ -274,6 +282,9 @@ re_parse_alternative (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context
         JERRY_TRACE_MSG ("Compile a capture group start (idx: %u)\n", (unsigned int) idx);
 
         ret_value = re_parse_alternative (re_ctx_p, false);
+#ifdef REGEXP_RECURSION_LIMIT
+        --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
         if (ecma_is_value_empty (ret_value))
         {
@@ -288,6 +299,9 @@ re_parse_alternative (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context
         JERRY_TRACE_MSG ("Compile a non-capture group start (idx: %u)\n", (unsigned int) idx);
 
         ret_value = re_parse_alternative (re_ctx_p, false);
+#ifdef REGEXP_RECURSION_LIMIT
+        --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
         if (ecma_is_value_empty (ret_value))
         {
@@ -356,6 +370,9 @@ re_parse_alternative (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context
         re_append_opcode (bc_ctx_p, RE_OP_LOOKAHEAD_POS);
 
         ret_value = re_parse_alternative (re_ctx_p, false);
+#ifdef REGEXP_RECURSION_LIMIT
+        --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
         if (ecma_is_value_empty (ret_value))
         {
@@ -373,6 +390,9 @@ re_parse_alternative (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context
         re_append_opcode (bc_ctx_p, RE_OP_LOOKAHEAD_NEG);
 
         ret_value = re_parse_alternative (re_ctx_p, false);
+#ifdef REGEXP_RECURSION_LIMIT
+        --re_ctx_p->recursion_depth;
+#endif /* REGEXP_RECURSION_LIMIT */
 
         if (ecma_is_value_empty (ret_value))
         {
@@ -559,7 +579,9 @@ re_compile_bytecode (const re_compiled_code_t **out_bytecode_p, /**< [out] point
   re_ctx.flags = flags;
   re_ctx.highest_backref = 0;
   re_ctx.num_of_non_captures = 0;
-
+#ifdef REGEXP_RECURSION_LIMIT
+  re_ctx.recursion_depth = 0;
+#endif /* REGEXP_RECURSION_LIMIT */
   re_bytecode_ctx_t bc_ctx;
   bc_ctx.block_start_p = NULL;
   bc_ctx.block_end_p = NULL;

jerry-core/parser/regexp/re-compiler.h

@@ -41,6 +41,9 @@ typedef struct
   uint32_t num_of_captures;          /**< number of capture groups */
   uint32_t num_of_non_captures;      /**< number of non-capture groups */
   uint32_t highest_backref;          /**< highest backreference */
+#ifdef REGEXP_RECURSION_LIMIT
+  uint32_t recursion_depth;          /**< recursion depth limit */
+#endif /* REGEXP_RECURSION_LIMIT */
   re_bytecode_ctx_t *bytecode_ctx_p; /**< pointer of RegExp bytecode context */
   re_token_t current_token;          /**< current token */
   re_parser_ctx_t *parser_ctx_p;     /**< pointer of RegExp parser context */

tools/build.py

@@ -126,6 +126,8 @@ def devhelp(helpstring):
                          help='specify profile file')
     coregrp.add_argument('--regexp-strict-mode', metavar='X', choices=['ON', 'OFF'], type=str.upper,
                          help=devhelp('enable regexp strict mode (%(choices)s)'))
+    coregrp.add_argument('--regexp-recursion-limit', metavar='N', type=int, default=1000,
+                         help='RegExp recursion depth limit (0 for unlimited, default=1000)')
     coregrp.add_argument('--show-opcodes', metavar='X', choices=['ON', 'OFF'], type=str.upper,
                          help=devhelp('enable parser byte-code dumps (%(choices)s)'))
     coregrp.add_argument('--show-regexp-opcodes', metavar='X', choices=['ON', 'OFF'], type=str.upper,
@@ -194,6 +196,7 @@ def build_options_append(cmakeopt, cliarg):
     build_options_append('FEATURE_MEM_STRESS_TEST', arguments.mem_stress_test)
     build_options_append('FEATURE_PROFILE', arguments.profile)
     build_options_append('FEATURE_REGEXP_STRICT_MODE', arguments.regexp_strict_mode)
+    build_options_append('REGEXP_RECURSION_LIMIT_N', arguments.regexp_recursion_limit)
     build_options_append('FEATURE_PARSER_DUMP', arguments.show_opcodes)
     build_options_append('FEATURE_REGEXP_DUMP', arguments.show_regexp_opcodes)
     build_options_append('FEATURE_SNAPSHOT_EXEC', arguments.snapshot_exec)

tools/run-tests.py

@@ -142,6 +142,8 @@
             ['--jerry-cmdline-test=on']),
     Options('buildoption_test-cmdline_snapshot',
             ['--jerry-cmdline-snapshot=on']),
+    Options('buildoption_test-regexp_recursion_limit',
+            ['--regexp-recursion-limit=0']),
 ]
 
 def get_arguments():