Closed
Bug 330352
Opened 18 years ago
Closed 17 years ago
Very non-greedy regexp causes crash in jsregexp.c
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: kohei, Assigned: crowderbt)
References
Details
(Keywords: crash, Whiteboard: [sg:nse] null deref)
Attachments
(3 files, 1 obsolete file)
|
4.55 KB,
patch
|
mrbkap
:
review-
|
Details | Diff | Splinter Review |
|
2.39 KB,
text/plain
|
Details | |
|
1.18 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060313 Firefox/1.6a1 Note: This bug was originally reported to IPA (Information-technology Promotion Agency, Japan) and forwarded to us at Mozilla Japan. I'm NOT original reporter. Don't ask me about details. For more information about IPA, visit http://www.ipa.go.jp/about/english/ IPA#36438227 Reproducible: Always Steps to Reproduce: Loading the following script causes Firefox to crash: javascript:if("AB".match(/(.*?)*?B/)){alert(RegExp.lastMatch);} No problem with: javascript:if("AB".match(/(.*)*?B/)){alert(RegExp.lastMatch);} or javascript:if("AB".match(/(.*?)*B/)){alert(RegExp.lastMatch);} Actual Results: Firefox consumes large amounts of memory and CPU time of machine, causes application error, and crashes. Expected Results: Don't crash Comment from IPA: This bug allows websites to crash user machines or perform a DoS attack. We [IPA] have examined the problem and found that application error occurred at jsregexp.c. Attackers might run arbitrary code, but we have not found real way of code injection. IPA asked us to treat this bug confidential, but if there are no risks, uncheck the security mark.
|
||
Updated•18 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Crash in jsregexp.c → Very non-greedy regexp causes crash in jsregexp.c
|
||
Comment 1•18 years ago
|
||
In a 1.8.0.2-ish debug build I crash dereferencing a null "result->sz" in PushBackTrackState. Didn't notice a particularly large amount of memory use though, so maybe I'm hitting something different given some of the other js fixes that went into 1.8.0.2
Assignee: general → mrbkap
|
||
Comment 2•18 years ago
|
||
This looks like a non-exploitable null pointer dereference caused (in part) by a failure to propagate OOM. I want to look and see why we're spinning out of control here with the non-greedy regexps only, though.
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
|
|
||
Updated•18 years ago
|
Status: NEW → ASSIGNED
Whiteboard: [patch]
|
|
||
Comment 3•18 years ago
|
||
This fixes the crash due to the OOM that we're hitting. We shouldn't be hitting an OOM condition at all, though. I'll file a new bug on fixing the non-greedy quantifiers to not be wrong.
Attachment #215298 -
Flags: review?(brendan)
|
|
||
Comment 4•18 years ago
|
||
Comment on attachment 215298 [details] [diff] [review] Fix the crash Actually, I have a more complete patch that fixes both problems.
Attachment #215298 -
Attachment is obsolete: true
Attachment #215298 -
Flags: review?(brendan)
|
|
||
Comment 5•18 years ago
|
||
As far as I can tell, this does the right thing.
Attachment #215337 -
Flags: review?(brendan)
|
||
Comment 6•18 years ago
|
||
Comment on attachment 215337 [details] [diff] [review] More complete fix Good as far as it goes, but not the complete fix. /be
Attachment #215337 -
Flags: review?(brendan) → review+
|
||
Comment 7•18 years ago
|
||
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+
|
|
||
Updated•18 years ago
|
Whiteboard: [patch]
|
|
||
Comment 8•18 years ago
|
||
Based on comment 2, can we remove the security flag?
Whiteboard: [sg:nse] null deref
|
|
||
Comment 9•18 years ago
|
||
(In reply to comment #8) > Based on comment 2, can we remove the security flag? Yes, we can. Clearing the security-sensitive flag.
Group: security
|
|
||
Comment 10•18 years ago
|
||
Comment on attachment 215337 [details] [diff] [review] More complete fix This actually causes worse crashes.
Attachment #215337 -
Flags: review+ → review-
|
|
||
Comment 11•18 years ago
|
||
Checking in regress-330352.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-330352.js,v <-- regress-330352.js initial revision: 1.1
|
|
||
Comment 12•17 years ago
|
||
mrbkap, are you going to be able to continue working on this patch?
Flags: blocking1.9?
|
|
||
Comment 13•17 years ago
|
||
options("relimit") doesn't help, fwiw.
options("relimit"); /(a*?)+?/.exec("");
still causes js to consume all available memory.
|
Assignee | |
Comment 14•17 years ago
|
||
Taking this one from mrbkap so I won't forget to work on it.
Assignee: mrbkap → crowder
Status: ASSIGNED → NEW
|
|
Assignee | |
Comment 15•17 years ago
|
||
This is a similar bug to bug 367888: we have a match-case which doesn't properly consume an empty match, causing the "repeat" code to continue repeating forever. The usual pieces (ie., the parts that didn't fail before) of the test-suite pass with this patch applied.
Attachment #259385 -
Flags: review?(mrbkap)
|
|
Assignee | |
Comment 16•17 years ago
|
||
Here's the perl behavior on the same match, for reference: $ perl -e '"AB" =~ /(.*?)*?B/; print "$&, $1\n"' AB, A
|
|
||
Updated•17 years ago
|
Attachment #259385 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 17•17 years ago
|
||
jsregexp.c: 3.138
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
|
||
Comment 18•17 years ago
|
||
verified fixed linux, windows, mac* shell 20070406
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•