Fixed heap-buffer-overflow for RegExp.prototype[Symbol.replace].
Previously, RegExp.prototype[Symbol.replace] might overrun the boundaries
of the result of the custom "exec" method for a RegExp argument. The
issue occurred when the result object had zero length. The length is
used to create an array and the zero index was always written without
respect for the length resulting is heap-buffer-overflow.
The issue was introduced in 1c729f765cfb.
2 files changed