Fix crash in deserializer on bad regexp

Author: bnoordhuis

quickjs.c

@@ -35361,7 +35361,12 @@ static JSValue JS_ReadRegExp(BCReaderState *s)
         return JS_EXCEPTION;
     }
 
-    assert(!bc->is_wide_char);
+    if (bc->is_wide_char) {
+        js_free_string(ctx->rt, pattern);
+        js_free_string(ctx->rt, bc);
+        return JS_ThrowInternalError(ctx, "bad regexp bytecode");
+    }
+
     if (is_be())
         lre_byte_swap(bc->u.str8, bc->len, /*is_byte_swapped*/TRUE);
 

tests/test_bjson.js

@@ -232,6 +232,7 @@ function bjson_test_fuzz()
     var corpus = [
         "EBAAAAAABGA=",
         "EObm5oIt",
+        "EAARABMGBgYGBgYGBgYGBv////8QABEALxH/vy8R/78=",
     ];
     for (var input of corpus) {
         var buf = base64decode(input);