Closed Bug 332472 Opened 18 years ago Closed 18 years ago

new RegExp() ignores string boundaries when throwing exceptions

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jwkbugzilla, Assigned: brendan)

Details

(Keywords: testcase, verified1.8.1)

Attachments

(2 files)

Testcase
218 bytes, text/html
Details
proposed fix
922 bytes, patch
mrbkap
: review+
brendan
: approval-branch-1.8.1+
Details | Diff | Splinter Review 
The issue is - the exception thrown by new RegExp() shows more text than it should. JavaScript code to test this:

var str1 = "?asdf\nAnd you really shouldn't see this!";
var str2 = str1.substr(0, 5);
try {
  new RegExp(str2);
}
catch(e) {
  alert(e);
}

This should only display: "invalid qualifier ?asdf". Instead it displays "And you really shouldn't see this" as well - a string that isn't even in str2! So obviously the string length is ignored when the exception is created, instead everything until the next \0 is used.

I tested this in rv:1.8.0.1 Gecko/20060111 Firefox/1.5.0.1 and in rv:1.9a1 Gecko/20060309 Firefox/1.6a1, results are the same in both.

I am marking this bug security relevant until somebody can confirm that you can't get access to random memory blocks that way.
Attached file Testcase 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        proposed fixSplinter Review
      

    


  
Seems best to use an independent string for compiling, and retain it as the value of the source property.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED

        Attachment #216950 -
        Flags: review?(mrbkap)

    
    

    
  
This is not security sensitive.  JS implements dependent strings, so e.g., "hello, world".substr(0, 4) is a string header that points into the "hello, world" string's buffer.  The dependent string optimization is thread- and memory-safe.  It's just hazardous when pointers to char substrings flow into bad old code that expects to find a NUL terminator.  The independent string ("hello, world" in the example) that dependent strings share *always* ends with a backstop NUL at index equal to length.

/be
Group: security

    
  
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha

    
    

    
  
See also bug 330796, "Invalid quantifier" error message shows wrong part of regexp.

    
    

    
  
(In reply to comment #4)
> See also bug 330796, "Invalid quantifier" error message shows wrong part of
> regexp.

Unrelated.  See bug 330796 comment 3.

/be
Keywords: testcase

    
    

    
  
Comment on attachment 216950 [details] [diff] [review]
proposed fix

r=mrbkap

        Attachment #216950 -
        Flags: review?(mrbkap) → review+

    
    

    
  
Fixed on trunk and 1.8 branch.

/be
Blocks: js1.6rc1
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED

    
  

        Attachment #216950 -
        Flags: approval-branch-1.8.1+

    
    

    
  
Checking in regress-332472.js;
/cvsroot/mozilla/js/tests/js1_5/Exceptions/regress-332472.js,v  <--  regress-332472.js
initial revision: 1.1

Flags: in-testsuite+

    
    

    
  
verified fixed 1.8.1/1.9a1 win/mac/linux 20060415
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1verified1.8.1

    
    

    
  
not on 1.8.0, not making js16
No longer blocks: js1.6rc1

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: