Closed
Bug 332472
Opened 18 years ago
Closed 18 years ago
new RegExp() ignores string boundaries when throwing exceptions
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: jwkbugzilla, Assigned: brendan)
Details
(Keywords: testcase, verified1.8.1)
Attachments
(2 files)
218 bytes,
text/html
|
Details | |
922 bytes,
patch
|
mrbkap
:
review+
brendan
:
approval-branch-1.8.1+
|
Details | Diff | Splinter Review |
The issue is - the exception thrown by new RegExp() shows more text than it should. JavaScript code to test this: var str1 = "?asdf\nAnd you really shouldn't see this!"; var str2 = str1.substr(0, 5); try { new RegExp(str2); } catch(e) { alert(e); } This should only display: "invalid qualifier ?asdf". Instead it displays "And you really shouldn't see this" as well - a string that isn't even in str2! So obviously the string length is ignored when the exception is created, instead everything until the next \0 is used. I tested this in rv:1.8.0.1 Gecko/20060111 Firefox/1.5.0.1 and in rv:1.9a1 Gecko/20060309 Firefox/1.6a1, results are the same in both. I am marking this bug security relevant until somebody can confirm that you can't get access to random memory blocks that way.
Reporter | ||
Comment 1•18 years ago
|
||
Assignee | ||
Comment 2•18 years ago
|
||
Seems best to use an independent string for compiling, and retain it as the value of the source property. /be
Assignee | ||
Comment 3•18 years ago
|
||
This is not security sensitive. JS implements dependent strings, so e.g., "hello, world".substr(0, 4) is a string header that points into the "hello, world" string's buffer. The dependent string optimization is thread- and memory-safe. It's just hazardous when pointers to char substrings flow into bad old code that expects to find a NUL terminator. The independent string ("hello, world" in the example) that dependent strings share *always* ends with a backstop NUL at index equal to length. /be
Group: security
Assignee | ||
Updated•18 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
Comment 4•18 years ago
|
||
See also bug 330796, "Invalid quantifier" error message shows wrong part of regexp.
Assignee | ||
Comment 5•18 years ago
|
||
(In reply to comment #4) > See also bug 330796, "Invalid quantifier" error message shows wrong part of > regexp. Unrelated. See bug 330796 comment 3. /be
Comment 6•18 years ago
|
||
Comment on attachment 216950 [details] [diff] [review] proposed fix r=mrbkap
Attachment #216950 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 7•18 years ago
|
||
Fixed on trunk and 1.8 branch. /be
Blocks: js1.6rc1
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Assignee | ||
Updated•18 years ago
|
Attachment #216950 -
Flags: approval-branch-1.8.1+
Comment 8•18 years ago
|
||
Checking in regress-332472.js; /cvsroot/mozilla/js/tests/js1_5/Exceptions/regress-332472.js,v <-- regress-332472.js initial revision: 1.1
Flags: in-testsuite+
Comment 9•18 years ago
|
||
verified fixed 1.8.1/1.9a1 win/mac/linux 20060415
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
You need to log in
before you can comment on or make changes to this bug.
Description
•