Bug 40435 - Error in regexp causes crash
Summary: Error in regexp causes crash
Status: CLOSED FIXED
Alias: None
Product: konqueror
Classification: Applications
Component: kjs (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-04-08 07:03 UTC by ck
Modified: 2002-09-16 14:43 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description ck 2002-04-08 06:56:33 UTC 
(*** This bug was imported into bugs.kde.org ***)

Package:           kjs
Version:           KDE 3.0.0 
Severity:          normal
Installed from:    Compiled From Sources
Compiler:          gcc-2.96
OS:                Linux
OS/Compiler notes: Not Specified

The following HTML page crashes Konqueror reliably. This seems to be due to the erroneous regexp (no character before the + sign). 
While the Regexp is incorrect it should still not crash the browser. 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
<script>
function crashme() {
  var s1 = "foo+bar";
  alert(s1.replace(/+/g"%2B"));
}
</script>
    <title>Crash</title>
  </head>
  <body onload="crashme()">
    <h1>Crash</h1>
  </body>
</html>
}

Here's (part of) the stack trace:

[New Thread 1024 (LWP 14379)]
0x413a5ca9 in __wait4 () from /lib/i686/libc.so.6
#0  0x413a5ca9 in __wait4 () from /lib/i686/libc.so.6
#1  0x414216b4 in __DTOR_END__ () from /lib/i686/libc.so.6
#2  0x412536f3 in waitpid (pid=14381 stat_loc=0x0 options=0)
    at wrapsyscall.c:172
#3  0x40766dc5 in KCrash::defaultCrashHandler ()
   from /usr/local/kde3/lib/libkdecore.so.4
#4  0x41251a85 in pthread_sighandler (signo=11 ctx=
      {gs = 7 __gsh = 0 fs = 0 __fsh = 0 es = 43 __esh = 0 ds = 43 __dsh = 0 edi = 138616279 esi = 138616280 ebp = 3221208680 esp = 3221208524 ebx = 1102622948 edx = 138616280 ecx = 0 eax = 0 trapno = 14 err = 4 eip = 1102614436 cs = 35 __csh = 0 eflags = 66070 esp_at_signal = 3221208524 ss = 43 __ssh = 0 fpstate = 0xbfffbb50 oldmask = 2147483648 cr2 = 12})
    at signals.c:97
#5  <signal handler called>
#6  0x41b88fa4 in pcre_exec (external_re=0x0 external_extra=0x0 
    subject=0x8431dd8 "foo+bar" length=7 start_offset=0 options=0 
    offsets=0x84312d8 offsetcount=3) at pcre.c:4882
#7  0x41b584d6 in KJS::RegExp::match () from /usr/local/kde3/lib/libkjs.so.1
#8  0x41b5adb2 in KJS::StringProtoFuncImp::call ()
   from /usr/local/kde3/lib/libkjs.so.1
#9  0x41b6b421 in KJS::Object::call () from /usr/local/kde3/lib/libkjs.so.1
#10 0x41b47f57 in KJS::FunctionCallNode::evaluate ()
   from /usr/local/kde3/lib/libkjs.so.1
#11 0x41b47478 in KJS::ArgumentListNode::evaluateList ()
   from /usr/local/kde3/lib/libkjs.so.1
#12 0x41b4768d in KJS::ArgumentsNode::evaluateList ()
   from /usr/local/kde3/lib/libkjs.so.1

(Submitted via bugs.kde.org)
Comment 1 Harri Porten 2002-04-08 13:58:56 UTC 
On 8 Apr 2002 ck@heise.de wrote:

> The following HTML page crashes Konqueror reliably. This seems to be due to the erroneous regexp (no character before the + sign). 

I can confirm the crash on a system without PCRE support compiled in. An
other one with that extended support it hangs. Both equally bad of course.

> While the Regexp is incorrect it should still not crash the browser. 

Added as a testcase ("foo+bar".replace(/+/g"%2B");) to the JS test suite.
Will look into fixing it later.

Harri.
Comment 2 Harri Porten 2002-04-09 19:41:53 UTC 
On 8 Apr 2002 ck@heise.de wrote:

>   alert(s1.replace(/+/g"%2B"));

Fixed the crash together with another replace() bug for KDE 3.0.1.
We still don't accept '+' as that character though but as an invalid
regexp. Netscape 4.7 treats it differently.

Thanks for the report

Harri.