From 1a7790f873b1a73d1cfec9548eb08a3b9fd798f3 Mon Sep 17 00:00:00 2001 From: Michael Holman Date: Tue, 22 Jan 2019 15:14:37 -0800 Subject: [PATCH] [CVE-2019-0648] Edge - ChakraCore OOB read - Individual --- lib/Parser/RegexParser.cpp | 31 +++++++++++-------------------- 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/lib/Parser/RegexParser.cpp b/lib/Parser/RegexParser.cpp index 1db3ecc6849..b19978c24c7 100644 --- a/lib/Parser/RegexParser.cpp +++ b/lib/Parser/RegexParser.cpp @@ -2493,32 +2493,23 @@ namespace UnifiedRegex case 'W': return false; case 'c': - if (standardEncodedChars->IsLetter(ECLookahead())) // terminating 0 is not a letter + if (!standardEncodedChars->IsLetter(ECLookahead())) //Letter set [A-Z, a-z] + { + // Fail in unicode mode for non-letter escaped control characters according to 262 Annex-B RegExp grammar spec #prod-annexB-Term + DeferredFailIfUnicode(JSERR_RegExpInvalidEscape); + } + + if (standardEncodedChars->IsWord(ECLookahead())) // word set [A-Z,a-z,0-9,_], terminating 0 is not a word character { singleton = UTC(Chars::CTU(ECLookahead()) % 32); ECConsume(); } else { - DeferredFailIfUnicode(JSERR_RegExpInvalidEscape); // Fail in unicode mode for non-letter escaped control characters according to 262 Annex-B RegExp grammar spec #prod-annexB-Term - - if (!IsEOF()) - { - EncodedChar ecLookahead = ECLookahead(); - switch (ecLookahead) - { - case '-': - case ']': - singleton = c; - break; - default: - singleton = UTC(Chars::CTU(ecLookahead) % 32); - ECConsume(); - break; - } - } - else - singleton = c; + // If the lookahead is a non-alphanumeric and not an underscore ('_'), then treat '\' and 'c' separately. + //#sec-regular-expression-patterns-semantics + ECRevert(1); //Put cursor back at 'c' and treat it as a non-escaped character. + singleton = '\\'; } return true; case 'x':