Segmentation fault in function ecma_regexp_match in file ecma-regexp-object.c

[vulsReport]

version:
commit 4dc2cb3

Build command:
/tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-g --strip=off --system-allocator=on --logging=on

poc:
var v0 = /((\b){100000,})\3/g;
(v1) = v0.exec("abc abc");

running results:
~/jerryscript/bin$ ./jerry poc.js
Segmentation fault (core dumped)

stack trace:
(rr) bt
#0 0x0000561a6169361a in re_get_opcode (
bc_p=<error reading variable: Cannot access memory at address 0x7ffcfb46aff8>) at /home/zdz/jerryscript/jerry-core/parser/regexp/re-bytecode.c:169
#1 0x0000561a616a2faf in ecma_regexp_match (re_ctx_p=0x7ffcfbc8a650,
bc_p=0x561a619e53e3 <jerry_global_heap+643> "\025\004",
str_curr_p=0x561a619e538c <jerry_global_heap+556> "abc abc\177")
at /home/zdz/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:545
#2 0x0000561a616a413c in ecma_regexp_match (re_ctx_p=0x7ffcfbc8a650,
bc_p=0x561a619e53e3 <jerry_global_heap+643> "\025\004",
str_curr_p=0x561a619e538c <jerry_global_heap+556> "abc abc\177")
at /home/zdz/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:1122
#3 0x0000561a616a413c in ecma_regexp_match (re_ctx_p=0x7ffcfbc8a650,
bc_p=0x561a619e53e3 <jerry_global_heap+643> "\025\004",
str_curr_p=0x561a619e538c <jerry_global_heap+556> "abc abc\177")
at /home/zdz/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:1122
#4 0x0000561a616a413c in ecma_regexp_match (re_ctx_p=0x7ffcfbc8a650,
bc_p=0x561a619e53e3 <jerry_global_heap+643> "\025\004",
str_curr_p=0x561a619e538c <jerry_global_heap+556> "abc abc\177")
at /home/zdz/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:1122
#5 0x0000561a616a413c in ecma_regexp_match (re_ctx_p=0x7ffcfbc8a650,
bc_p=0x561a619e53e3 <jerry_global_heap+643> "\025\004",
str_curr_p=0x561a619e538c <jerry_global_heap+556> "abc abc\177")
at /home/zdz/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:11---Type to continue, or q to quit---
22
#6 0x0000561a616a413c in ecma_regexp_match (re_ctx_p=0x7ffcfbc8a650,
bc_p=0x561a619e53e3 <jerry_global_heap+643> "\025\004",
str_curr_p=0x561a619e538c <jerry_global_heap+556> "abc abc\177")
at /home/zdz/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:1122

Found by Dongzhuo Zhao working with ADLab of Venustech

[dbatyai]

This is a general call stack overflow due to the large minimum iteration count in the quantifier.
It can be handled by using the --stack-limit compile flag, which will cause the engine to throw a RangeError when the limit is exceeded.