Add RegExp recursion depth limit

The regexp engine does not have any recursion depth check, thus it can cause problems with various regexps. Added a new build option `--regexp-recursion-limit N` whose
default value is 1000. For unlimited recursion depth use 0. Also added a build-option-test for the unlimited recursion depth.

Fixes #2448

JerryScript-DCO-1.0-Signed-off-by: Istvan Miklos imiklos2@inf.u-szeged.hu

Author: Istvan Miklos

jerry-core/CMakeLists.txt

@@ -94,6 +94,7 @@ message(STATUS "FEATURE_SYSTEM_ALLOCATOR    " ${FEATURE_SYSTEM_ALLOCATOR})
 message(STATUS "FEATURE_VALGRIND            " ${FEATURE_VALGRIND})
 message(STATUS "FEATURE_VM_EXEC_STOP        " ${FEATURE_VM_EXEC_STOP})
 message(STATUS "MEM_HEAP_SIZE_KB            " ${MEM_HEAP_SIZE_KB})
+message(STATUS "REGEXP_RECURSION_LIMIT      " ${REGEXP_RECURSION_LIMIT})
 
 # Include directories
 set(INCLUDE_CORE_PUBLIC "${CMAKE_CURRENT_SOURCE_DIR}/include")
@@ -242,6 +243,11 @@ if(FEATURE_REGEXP_STRICT_MODE)
   set(DEFINES_JERRY ${DEFINES_JERRY} ENABLE_REGEXP_STRICT_MODE)
 endif()
 
+# RegExp recursion depth limit
+if(REGEXP_RECURSION_LIMIT)
+  set(DEFINES_JERRY ${DEFINES_JERRY} REGEXP_RECURSION_LIMIT=${REGEXP_RECURSION_LIMIT})
+endif()
+
 # RegExp byte-code dumps
 if(FEATURE_REGEXP_DUMP)
   set(DEFINES_JERRY ${DEFINES_JERRY} REGEXP_DUMP_BYTE_CODE)

jerry-core/ecma/operations/ecma-regexp-object.c

@@ -364,6 +364,13 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
                  const lit_utf8_byte_t *str_p, /**< input string pointer */
                  const lit_utf8_byte_t **out_str_p) /**< [out] matching substring iterator */
 {
+#ifdef REGEXP_RECURSION_LIMIT
+  JERRY_STATIC_ASSERT (REGEXP_RECURSION_LIMIT > 0, regexp_recursion_limit_must_be_greater_than_zero);
+  if (--re_ctx_p->recursion_depth == 0)
+  {
+    return ecma_raise_range_error ("RegExp executor recursion limit is exceeded.");
+  }
+#endif /* REGEXP_RECURSION_LIMIT */
   const lit_utf8_byte_t *str_curr_p = str_p;
 
   while (true)
@@ -376,12 +383,14 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
       {
         JERRY_TRACE_MSG ("Execute RE_OP_MATCH: match\n");
         *out_str_p = str_curr_p;
+        INCREASE_RECURSION_DEPTH_COUNTER;
         return ECMA_VALUE_TRUE; /* match */
       }
       case RE_OP_CHAR:
       {
         if (str_curr_p >= re_ctx_p->input_end_p)
         {
+          INCREASE_RECURSION_DEPTH_COUNTER;
           return ECMA_VALUE_FALSE; /* fail */
         }
 
@@ -393,6 +402,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         if (ch1 != ch2)
         {
           JERRY_TRACE_MSG ("fail\n");
+          INCREASE_RECURSION_DEPTH_COUNTER;
           return ECMA_VALUE_FALSE; /* fail */
         }
 
@@ -404,6 +414,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
       {
         if (str_curr_p >= re_ctx_p->input_end_p)
         {
+          INCREASE_RECURSION_DEPTH_COUNTER;
           return ECMA_VALUE_FALSE; /* fail */
         }
 
@@ -413,6 +424,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         if (lit_char_is_line_terminator (ch))
         {
           JERRY_TRACE_MSG ("fail\n");
+          INCREASE_RECURSION_DEPTH_COUNTER;
           return ECMA_VALUE_FALSE; /* fail */
         }
 
@@ -432,6 +444,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         if (!(re_ctx_p->flags & RE_FLAG_MULTILINE))
         {
           JERRY_TRACE_MSG ("fail\n");
+          INCREASE_RECURSION_DEPTH_COUNTER;
           return ECMA_VALUE_FALSE; /* fail */
         }
 
@@ -442,6 +455,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         }
 
         JERRY_TRACE_MSG ("fail\n");
+        INCREASE_RECURSION_DEPTH_COUNTER;
         return ECMA_VALUE_FALSE; /* fail */
       }
       case RE_OP_ASSERT_END:
@@ -457,6 +471,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         if (!(re_ctx_p->flags & RE_FLAG_MULTILINE))
         {
           JERRY_TRACE_MSG ("fail\n");
+          INCREASE_RECURSION_DEPTH_COUNTER;
           return ECMA_VALUE_FALSE; /* fail */
         }
 
@@ -467,6 +482,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         }
 
         JERRY_TRACE_MSG ("fail\n");
+        INCREASE_RECURSION_DEPTH_COUNTER;
         return ECMA_VALUE_FALSE; /* fail */
       }
       case RE_OP_ASSERT_WORD_BOUNDARY:
@@ -498,6 +514,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (is_wordchar_left == is_wordchar_right)
           {
             JERRY_TRACE_MSG ("fail\n");
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return ECMA_VALUE_FALSE; /* fail */
           }
         }
@@ -509,6 +526,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (is_wordchar_left != is_wordchar_right)
           {
             JERRY_TRACE_MSG ("fail\n");
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return ECMA_VALUE_FALSE; /* fail */
           }
         }
@@ -563,6 +581,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
 
         if (!ECMA_IS_VALUE_ERROR (match_value))
         {
+          INCREASE_RECURSION_DEPTH_COUNTER;
           if (ecma_is_value_true (match_value))
           {
             *out_str_p = sub_str_p;
@@ -588,6 +607,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         if (str_curr_p >= re_ctx_p->input_end_p)
         {
           JERRY_TRACE_MSG ("fail\n");
+          INCREASE_RECURSION_DEPTH_COUNTER;
           return ECMA_VALUE_FALSE; /* fail */
         }
 
@@ -618,6 +638,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (!is_match)
           {
             JERRY_TRACE_MSG ("fail\n");
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return ECMA_VALUE_FALSE; /* fail */
           }
         }
@@ -627,6 +648,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (is_match)
           {
             JERRY_TRACE_MSG ("fail\n");
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return ECMA_VALUE_FALSE; /* fail */
           }
         }
@@ -657,6 +679,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (str_curr_p >= re_ctx_p->input_end_p)
           {
             JERRY_TRACE_MSG ("fail\n");
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return ECMA_VALUE_FALSE; /* fail */
           }
 
@@ -666,6 +689,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (ch1 != ch2)
           {
             JERRY_TRACE_MSG ("fail\n");
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return ECMA_VALUE_FALSE; /* fail */
           }
         }
@@ -689,6 +713,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (ecma_is_value_true (match_value))
           {
             *out_str_p = sub_str_p;
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return match_value; /* match */
           }
           else if (ECMA_IS_VALUE_ERROR (match_value))
@@ -703,13 +728,15 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         bc_p = old_bc_p;
 
         re_ctx_p->saved_p[RE_GLOBAL_START_IDX] = old_start_p;
+        INCREASE_RECURSION_DEPTH_COUNTER;
         return ECMA_VALUE_FALSE; /* fail */
       }
       case RE_OP_SAVE_AND_MATCH:
       {
         JERRY_TRACE_MSG ("End of pattern is reached: match\n");
         re_ctx_p->saved_p[RE_GLOBAL_END_IDX] = str_curr_p;
         *out_str_p = str_curr_p;
+        INCREASE_RECURSION_DEPTH_COUNTER;
         return ECMA_VALUE_TRUE; /* match */
       }
       case RE_OP_ALTERNATIVE:
@@ -774,6 +801,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         if (ecma_is_value_true (match_value))
         {
           *out_str_p = sub_str_p;
+          INCREASE_RECURSION_DEPTH_COUNTER;
           return match_value; /* match */
         }
         else if (ECMA_IS_VALUE_ERROR (match_value))
@@ -832,6 +860,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (ecma_is_value_true (match_value))
           {
             *out_str_p = sub_str_p;
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return match_value; /* match */
           }
           else if (ECMA_IS_VALUE_ERROR (match_value))
@@ -856,6 +885,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (ecma_is_value_true (match_value))
           {
             *out_str_p = sub_str_p;
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return match_value; /* match */
           }
           else if (ECMA_IS_VALUE_ERROR (match_value))
@@ -865,6 +895,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         }
 
         re_ctx_p->saved_p[start_idx] = old_start_p;
+        INCREASE_RECURSION_DEPTH_COUNTER;
         return ECMA_VALUE_FALSE; /* fail */
       }
       case RE_OP_CAPTURE_NON_GREEDY_GROUP_END:
@@ -910,6 +941,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (ecma_is_value_true (match_value))
           {
             *out_str_p = sub_str_p;
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return match_value; /* match */
           }
           else if (ECMA_IS_VALUE_ERROR (match_value))
@@ -958,6 +990,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         if (re_ctx_p->num_of_iterations_p[iter_idx] >= min
             && str_curr_p== re_ctx_p->saved_p[start_idx])
         {
+          INCREASE_RECURSION_DEPTH_COUNTER;
           return ECMA_VALUE_FALSE; /* fail */
         }
 
@@ -979,6 +1012,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (ecma_is_value_true (match_value))
           {
             *out_str_p = sub_str_p;
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return match_value; /* match */
           }
           else if (ECMA_IS_VALUE_ERROR (match_value))
@@ -1003,6 +1037,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
             if (ecma_is_value_true (match_value))
             {
               *out_str_p = sub_str_p;
+              INCREASE_RECURSION_DEPTH_COUNTER;
               return match_value; /* match */
             }
             else if (ECMA_IS_VALUE_ERROR (match_value))
@@ -1024,6 +1059,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (ecma_is_value_true (match_value))
           {
             *out_str_p = sub_str_p;
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return match_value; /* match */
           }
           else if (ECMA_IS_VALUE_ERROR (match_value))
@@ -1035,6 +1071,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
         /* restore if fails */
         re_ctx_p->saved_p[end_idx] = old_end_p;
         re_ctx_p->num_of_iterations_p[iter_idx]--;
+        INCREASE_RECURSION_DEPTH_COUNTER;
         return ECMA_VALUE_FALSE; /* fail */
       }
       case RE_OP_NON_GREEDY_ITERATOR:
@@ -1059,6 +1096,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
             if (ecma_is_value_true (match_value))
             {
               *out_str_p = sub_str_p;
+              INCREASE_RECURSION_DEPTH_COUNTER;
               return match_value; /* match */
             }
             else if (ECMA_IS_VALUE_ERROR (match_value))
@@ -1082,6 +1120,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           str_curr_p = sub_str_p;
           num_of_iter++;
         }
+        INCREASE_RECURSION_DEPTH_COUNTER;
         return ECMA_VALUE_FALSE; /* fail */
       }
       default:
@@ -1125,6 +1164,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           if (ecma_is_value_true (match_value))
           {
             *out_str_p = sub_str_p;
+            INCREASE_RECURSION_DEPTH_COUNTER;
             return match_value; /* match */
           }
           else if (ECMA_IS_VALUE_ERROR (match_value))
@@ -1140,6 +1180,7 @@ re_match_regexp (re_matcher_ctx_t *re_ctx_p, /**< RegExp matcher context */
           lit_utf8_read_prev (&str_curr_p);
           num_of_iter--;
         }
+        INCREASE_RECURSION_DEPTH_COUNTER;
         return ECMA_VALUE_FALSE; /* fail */
       }
     }
@@ -1232,6 +1273,9 @@ ecma_regexp_exec_helper (ecma_value_t regexp_value, /**< RegExp object */
   re_ctx.input_start_p = input_curr_p;
   const lit_utf8_byte_t *input_end_p = re_ctx.input_start_p + input_buffer_size;
   re_ctx.input_end_p = input_end_p;
+#ifdef REGEXP_RECURSION_LIMIT
+  re_ctx.recursion_depth = REGEXP_RECURSION_LIMIT;
+#endif /* REGEXP_RECURSION_LIMIT */
 
   /* 1. Read bytecode header and init regexp matcher context. */
   re_ctx.flags = bc_p->header.status_flags;

jerry-core/ecma/operations/ecma-regexp-object.h

@@ -18,6 +18,12 @@
 
 #ifndef CONFIG_DISABLE_REGEXP_BUILTIN
 
+#ifdef REGEXP_RECURSION_LIMIT
+#define INCREASE_RECURSION_DEPTH_COUNTER (++re_ctx_p->recursion_depth)
+#else
+#define INCREASE_RECURSION_DEPTH_COUNTER
+#endif /* REGEXP_RECURSION_LIMIT */
+
 #include "ecma-globals.h"
 #include "re-compiler.h"
 
@@ -46,6 +52,9 @@ typedef struct
   const lit_utf8_byte_t **saved_p;      /**< saved result string pointers, ECMA 262 v5, 15.10.2.1, State */
   const lit_utf8_byte_t *input_start_p; /**< start of input pattern string */
   const lit_utf8_byte_t *input_end_p;   /**< end of input pattern string */
+#ifdef REGEXP_RECURSION_LIMIT
+  uint32_t recursion_depth;             /**< recursion depth limit */
+#endif /* REGEXP_RECURSION_LIMIT */
   uint32_t num_of_captures;             /**< number of capture groups */
   uint32_t num_of_non_captures;         /**< number of non-capture groups */
   uint32_t *num_of_iterations_p;        /**< number of iterations */

jerry-core/parser/regexp/re-compiler.c

@@ -249,6 +249,12 @@ re_parse_alternative (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context
   uint32_t idx;
   re_bytecode_ctx_t *bc_ctx_p = re_ctx_p->bytecode_ctx_p;
   ecma_value_t ret_value = ECMA_VALUE_EMPTY;
+#ifdef REGEXP_RECURSION_LIMIT
+  if (--re_ctx_p->recursion_depth == 0)
+  {
+    return ecma_raise_range_error ("RegExp executor recursion limit is exceeded.");
+  }
+#endif /* REGEXP_RECURSION_LIMIT */
 
   uint32_t alterantive_offset = re_get_bytecode_length (re_ctx_p->bytecode_ctx_p);
   bool should_loop = true;
@@ -440,6 +446,7 @@ re_parse_alternative (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context
         else
         {
           re_insert_u32 (bc_ctx_p, alterantive_offset, re_get_bytecode_length (bc_ctx_p) - alterantive_offset);
+          INCREASE_RECURSION_DEPTH_COUNTER;
           should_loop = false;
         }
         break;
@@ -453,6 +460,7 @@ re_parse_alternative (re_compiler_ctx_t *re_ctx_p, /**< RegExp compiler context
         else
         {
           re_insert_u32 (bc_ctx_p, alterantive_offset, re_get_bytecode_length (bc_ctx_p) - alterantive_offset);
+          INCREASE_RECURSION_DEPTH_COUNTER;
           should_loop = false;
         }
 
@@ -559,7 +567,9 @@ re_compile_bytecode (const re_compiled_code_t **out_bytecode_p, /**< [out] point
   re_ctx.flags = flags;
   re_ctx.highest_backref = 0;
   re_ctx.num_of_non_captures = 0;
-
+#ifdef REGEXP_RECURSION_LIMIT
+  re_ctx.recursion_depth = REGEXP_RECURSION_LIMIT;
+#endif /* REGEXP_RECURSION_LIMIT */
   re_bytecode_ctx_t bc_ctx;
   bc_ctx.block_start_p = NULL;
   bc_ctx.block_end_p = NULL;

jerry-core/parser/regexp/re-compiler.h

@@ -41,6 +41,9 @@ typedef struct
   uint32_t num_of_captures;          /**< number of capture groups */
   uint32_t num_of_non_captures;      /**< number of non-capture groups */
   uint32_t highest_backref;          /**< highest backreference */
+#ifdef REGEXP_RECURSION_LIMIT
+  uint32_t recursion_depth;          /**< recursion depth limit */
+#endif /* REGEXP_RECURSION_LIMIT */
   re_bytecode_ctx_t *bytecode_ctx_p; /**< pointer of RegExp bytecode context */
   re_token_t current_token;          /**< current token */
   re_parser_ctx_t *parser_ctx_p;     /**< pointer of RegExp parser context */