LibRegex: Check backreference index before looking it up

If a backref happens after it's cleared, the slot may be cleared already.
Author: https://github.com/alimpfard Commit: 299b9ca572 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/4246
2025-06-08 05:27:14 +09:00 · 2025-04-06 01:56:18 +02:00 · 2025-04-06 01:56:18 +02:00 · 299b9ca572 · 2025-04-06 18:22:15 +00:00
commit 299b9ca572
parent e695dc1405
2 changed files with 5 additions and 0 deletions
--- a/Libraries/LibRegex/RegexByteCode.cpp
+++ b/Libraries/LibRegex/RegexByteCode.cpp
@ -585,6 +585,9 @@ ALWAYS_INLINE ExecutionResult OpCode_Compare::execute(MatchInput const& input, M
        }
        case CharacterCompareType::Reference: {
            auto reference_number = (size_t)m_bytecode->at(offset++);
+            if (input.match_index >= state.capture_group_matches.size())
+                return ExecutionResult::Failed_ExecuteLowPrioForks;
+
            auto& groups = state.capture_group_matches.at(input.match_index);
            if (groups.size() <= reference_number)
                return ExecutionResult::Failed_ExecuteLowPrioForks;