From 52e25f784cd1b927d44383aa9afb358191df97e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Bargull?= <andre.bargull@gmail.com>
Date: Mon, 30 Jul 2012 18:25:15 +0200
Subject: [PATCH] Add missing overflow detection when processing RegExp
 character class pattern

---
 src/org/mozilla/javascript/regexp/NativeRegExp.java | 4 +++-
 testsrc/doctests/regexp.class-overflow.doctest      | 6 ++++++
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100755 testsrc/doctests/regexp.class-overflow.doctest

--- a/src/org/mozilla/javascript/regexp/NativeRegExp.java
+++ b/src/org/mozilla/javascript/regexp/NativeRegExp.java
@@ -1671,7 +1671,7 @@ public class NativeRegExp extends IdScri
             if (inRange) {
                 if ((gData.regexp.flags & JSREG_FOLD) != 0) {
                     assert(rangeStart <= thisCh);
-                    for (c = rangeStart; c <= thisCh; c++) {
+                    for (c = rangeStart; c <= thisCh;) {
                         addCharacterToCharSet(charSet, c);
                         char uch = upcase(c);
                         char dch = downcase(c);
@@ -1679,6 +1679,8 @@ public class NativeRegExp extends IdScri
                             addCharacterToCharSet(charSet, uch);
                         if (c != dch)
                             addCharacterToCharSet(charSet, dch);
+                        if (++c == 0)
+                            break; // overflow
                     }
                 } else {
                     addCharacterRangeToCharSet(charSet, rangeStart, thisCh);
--- /dev/null
+++ b/testsrc/doctests/regexp.class-overflow.doctest
@@ -0,0 +1,6 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+js> /[\u0000-\uFFFF]/i.test(0)
+true