From e98f5342f9d1dcb800bbd2ee6916153c5c148283 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?D=C3=A1niel=20B=C3=A1tyai?= <daniel.batyai@h-lab.eu>
Date: Fri, 28 Aug 2020 13:09:53 +0200
Subject: [PATCH] Fix leaking lastIndex values in RegExp built-ins (#4166)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai daniel.batyai@h-lab.eu
---
 jerry-core/ecma/base/ecma-helpers-value.c     |  1 -
 .../ecma/operations/ecma-regexp-object.c      | 43 ++++++++++++-------
 tests/jerry/es.next/symbol-replace.js         | 31 ++++++++++++-
 3 files changed, 58 insertions(+), 17 deletions(-)

diff --git a/jerry-core/ecma/base/ecma-helpers-value.c b/jerry-core/ecma/base/ecma-helpers-value.c
index deb826404..39d15e179 100644
--- a/jerry-core/ecma/base/ecma-helpers-value.c
+++ b/jerry-core/ecma/base/ecma-helpers-value.c
@@ -567,7 +567,6 @@ ecma_make_length_value (ecma_length_t number) /**< number to be encoded */
     return ecma_make_integer_value ((ecma_integer_value_t) number);
   }
 
-  JERRY_ASSERT (number <= ECMA_NUMBER_MAX_SAFE_INTEGER);
   return ecma_create_float_number ((ecma_number_t) number);
 } /* ecma_make_length_value */
 
diff --git a/jerry-core/ecma/operations/ecma-regexp-object.c b/jerry-core/ecma/operations/ecma-regexp-object.c
index ec0ccce26..17198b778 100644
--- a/jerry-core/ecma/operations/ecma-regexp-object.c
+++ b/jerry-core/ecma/operations/ecma-regexp-object.c
@@ -2263,11 +2263,14 @@ ecma_regexp_split_helper (ecma_value_t this_arg, /**< this value */
   while (current_index < string_length)
   {
     /* 24.a-b. */
+    ecma_value_t index_value = ecma_make_length_value (current_index);
     result = ecma_op_object_put (splitter_obj_p,
                                  lastindex_str_p,
-                                 ecma_make_length_value (current_index),
+                                 index_value,
                                  true);
 
+    ecma_free_value (index_value);
+
     if (ECMA_IS_VALUE_ERROR (result))
     {
       goto cleanup_array;
@@ -2771,11 +2774,14 @@ ecma_regexp_replace_helper_fast (ecma_replace_context_t *ctx_p, /**<replace cont
 #if ENABLED (JERRY_ESNEXT)
         if (JERRY_UNLIKELY ((re_ctx.flags & RE_FLAG_STICKY) != 0))
         {
+          ecma_value_t index_value = ecma_make_length_value (index);
           result = ecma_op_object_put ((ecma_object_t *) re_obj_p,
                                        ecma_get_magic_string (LIT_MAGIC_STRING_LASTINDEX_UL),
-                                       ecma_make_length_value (index),
+                                       index_value,
                                        true);
 
+          ecma_free_value (index_value);
+
           if (ECMA_IS_VALUE_ERROR (result))
           {
             goto cleanup_builder;
@@ -3063,24 +3069,28 @@ ecma_regexp_replace_helper (ecma_value_t this_arg, /**< this argument */
         goto cleanup_results;
       }
 
+      ecma_value_t last_index = result;
+
       ecma_length_t index;
-      if (ECMA_IS_VALUE_ERROR (ecma_op_to_length (result, &index)))
+      result = ecma_op_to_length (last_index, &index);
+      ecma_free_value (last_index);
+
+      if (ECMA_IS_VALUE_ERROR (result))
       {
-        ecma_free_value (result);
-        result = ECMA_VALUE_ERROR;
         goto cleanup_results;
       }
 
-      ecma_free_value (result);
-
       index = ecma_op_advance_string_index (string_p, index, (replace_ctx.flags & RE_FLAG_UNICODE) != 0);
+      last_index = ecma_make_length_value (index);
 
       /* 10.d.iii.3.c */
       result = ecma_op_object_put (this_obj_p,
                                    ecma_get_magic_string (LIT_MAGIC_STRING_LASTINDEX_UL),
-                                   ecma_make_length_value (index),
+                                   last_index,
                                    true);
 
+      ecma_free_value (last_index);
+
       if (ECMA_IS_VALUE_ERROR (result))
       {
         goto cleanup_results;
@@ -3469,18 +3479,18 @@ ecma_regexp_match_helper (ecma_value_t this_arg, /**< this argument */
 
     if (is_match_empty)
     {
-      ecma_value_t this_index = ecma_op_object_get_by_magic_id (obj_p, LIT_MAGIC_STRING_LASTINDEX_UL);
+      ecma_value_t last_index = ecma_op_object_get_by_magic_id (obj_p, LIT_MAGIC_STRING_LASTINDEX_UL);
 
-      if (ECMA_IS_VALUE_ERROR (this_index))
+      if (ECMA_IS_VALUE_ERROR (last_index))
       {
         goto result_cleanup;
       }
 
 #if ENABLED (JERRY_ESNEXT)
       ecma_length_t index;
-      ecma_value_t length_value = ecma_op_to_length (this_index, &index);
+      ecma_value_t length_value = ecma_op_to_length (last_index, &index);
 
-      ecma_free_value (this_index);
+      ecma_free_value (last_index);
 
       if (ECMA_IS_VALUE_ERROR (length_value))
       {
@@ -3489,20 +3499,23 @@ ecma_regexp_match_helper (ecma_value_t this_arg, /**< this argument */
 
       index = ecma_op_advance_string_index (str_p, index, full_unicode);
 
+      last_index = ecma_make_length_value (index);
       ecma_value_t next_set_status = ecma_op_object_put (obj_p,
                                                          ecma_get_magic_string (LIT_MAGIC_STRING_LASTINDEX_UL),
                                                          ecma_make_length_value (index),
                                                          true);
 #else /* !ENABLED (JERRY_ESNEXT) */
-      ecma_number_t next_index = ecma_get_number_from_value (this_index);
+      ecma_number_t index = ecma_get_number_from_value (last_index);
+      ecma_free_value (last_index);
 
+      last_index = ecma_make_number_value (index + 1);
       ecma_value_t next_set_status = ecma_op_object_put (obj_p,
                                                          ecma_get_magic_string (LIT_MAGIC_STRING_LASTINDEX_UL),
-                                                         ecma_make_number_value (next_index + 1),
+                                                         last_index,
                                                          true);
 
-      ecma_free_value (this_index);
 #endif /* ENABLED (JERRY_ESNEXT) */
+      ecma_free_value (last_index);
 
       if (ECMA_IS_VALUE_ERROR (next_set_status))
       {
diff --git a/tests/jerry/es.next/symbol-replace.js b/tests/jerry/es.next/symbol-replace.js
index 7bd12e642..b36c53a67 100644
--- a/tests/jerry/es.next/symbol-replace.js
+++ b/tests/jerry/es.next/symbol-replace.js
@@ -721,4 +721,33 @@ assert(r[Symbol.replace]("aaaa", function(match, index) {
 }) === "baaa");
 
 assert (replaceCalled);
-assert (r.lastIndex === 2)
+assert (r.lastIndex === 2);
+
+(function () {
+  var r = /./g;
+  var execWasCalled = false;
+  var coercibleIndex = {
+    valueOf: function() {
+      return Math.pow(2, 54);
+    },
+  };
+
+  var result = {
+    length: 1,
+    0: '',
+    index: 0,
+  };
+
+  r.exec = function() {
+    if (execWasCalled) {
+      return null;
+    }
+
+    r.lastIndex = coercibleIndex;
+    execWasCalled = true;
+    return result;
+  };
+
+  assert(r[Symbol.replace]('', '') === '');
+  assert(r.lastIndex === Math.pow(2, 53));
+})();