Fix out-of-bound vector access in Regex compiler

Summary: This out-of-bound access is likely harmless. However, the test hits an assertion failure and crashes in debug builds on Windows. The problem is that we could be calling `operator[]()` with one past the last valid element. Reviewed By: tmikov Differential Revision: D17085369 fbshipit-source-id: 3d82640332a62672c053702ea3956eac8ce230c8
DanRepos · Aug 28, 2019 · cf95acb · cf95acb
1 parent 0acbae8
commit cf95acb
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/include/hermes/Regex/Compiler.h b/include/hermes/Regex/Compiler.h
@@ -1287,7 +1287,9 @@ void Node::optimizeNodeList(NodeList &nodes, constants::SyntaxFlags flags) {
           unique_ptr<MatchCharNode>(new MatchCharNode(std::move(chars), icase));
       // Fill the remainder of the range with null (we'll clean them up after
       // the loop) and skip to the end of the range.
-      std::fill(&nodes[rangeStart + 1], &nodes[rangeEnd], nullptr);
+      // Note that rangeEnd may be one past the last valid element.
+      std::fill(
+          nodes.begin() + (rangeStart + 1), nodes.begin() + rangeEnd, nullptr);
       idx = rangeEnd - 1;
     }
   }