Limit backtracking on regexp called from blink.

It is possible to block the main thread with a invalid pattern, input and CSS. Now that V8 has added a backtracking limit take advantage of it. 1000000 matches the limit Yarr (webkit's regex engine). See https://github.com/WebKit/webkit/blob/89c28d471fae35f1788a0f857067896a10af8974/Source/JavaScriptCore/yarr/Yarr.h#L50 BUG=966405 Change-Id: I08bc956806bc7efb8cdc06dc0db30fa94e68df9c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1915280 Commit-Queue: Dave Tapuska <dtapuska@chromium.org> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#715312}

Limit backtracking on regexp called from blink.
It is possible to block the main thread with a invalid pattern, input and CSS. Now that V8 has added a backtracking limit take advantage of it. 1000000 matches the limit Yarr (webkit's regex engine). See https://github.com/WebKit/webkit/blob/89c28d471fae35f1788a0f857067896a10af8974/Source/JavaScriptCore/yarr/Yarr.h#L50 BUG=966405 Change-Id: I08bc956806bc7efb8cdc06dc0db30fa94e68df9c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1915280 Commit-Queue: Dave Tapuska <dtapuska@chromium.org> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#715312}
e83dd93c · Dave Tapuska · Commit Bot · 3dacc95f · e83dd93c · e83dd93c
Commit e83dd93c authored Nov 14, 2019 by Dave Tapuska Committed by Commit Bot Nov 14, 2019
2 changed files
--- a/third_party/blink/renderer/bindings/core/v8/script_regexp.cc
+++ b/third_party/blink/renderer/bindings/core/v8/script_regexp.cc
@@ -36,6 +36,10 @@
 namespace blink {
+namespace {
+const uint32_t kBacktrackLimit = 1'000'000;
+}  // namespace
 ScriptRegexp::ScriptRegexp(const String& pattern,
                           TextCaseSensitivity case_sensitivity,
                           MultilineMode multiline_mode,
@@ -56,8 +60,9 @@ ScriptRegexp::ScriptRegexp(const String& pattern,
    flags |= v8::RegExp::kUnicode;
  v8::Local<v8::RegExp> regex;
-  if (v8::RegExp::New(context, V8String(isolate, pattern),
+  if (v8::RegExp::NewWithBacktrackLimit(context, V8String(isolate, pattern),
-                      static_cast<v8::RegExp::Flags>(flags))
+                                        static_cast<v8::RegExp::Flags>(flags),
+                                        kBacktrackLimit)
          .ToLocal(&regex))
    regex_.Set(isolate, regex);
  if (try_catch.HasCaught() && !try_catch.Message().IsEmpty())

--- a/third_party/blink/web_tests/external/wpt/html/semantics/forms/constraints/infinite_backtracking.html
+++ b/third_party/blink/web_tests/external/wpt/html/semantics/forms/constraints/infinite_backtracking.html
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>The infinite pattern validation test</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<input type=text id=badinput value="12345678901234567890123456789123456789z" pattern="(\d+)*$">
+<script>
+  test(function(){
+    var elements = document.querySelectorAll(":invalid");
+    assert_array_equals(elements, [document.getElementById('badinput')]);
+  }, "Infinite backtracking pattern terminates");
+</script>