new RegExp() ignores string boundaries when throwing exceptions

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
JavaScript Engine
P1
normal
VERIFIED FIXED
12 years ago
11 years ago

People

(Reporter: Wladimir Palant (for Adblock Plus info Cc bugzilla@adblockplus.org), Assigned: brendan)

Tracking

({testcase, verified1.8.1})

Trunk
mozilla1.9alpha1
x86
Windows XP
testcase, verified1.8.1
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

The issue is - the exception thrown by new RegExp() shows more text than it should. JavaScript code to test this:

var str1 = "?asdf\nAnd you really shouldn't see this!";
var str2 = str1.substr(0, 5);
try {
  new RegExp(str2);
}
catch(e) {
  alert(e);
}

This should only display: "invalid qualifier ?asdf". Instead it displays "And you really shouldn't see this" as well - a string that isn't even in str2! So obviously the string length is ignored when the exception is created, instead everything until the next \0 is used.

I tested this in rv:1.8.0.1 Gecko/20060111 Firefox/1.5.0.1 and in rv:1.9a1 Gecko/20060309 Firefox/1.6a1, results are the same in both.

I am marking this bug security relevant until somebody can confirm that you can't get access to random memory blocks that way.
(Assignee)

Comment 2

12 years ago
Created attachment 216950 [details] [diff] [review]
proposed fix

Seems best to use an independent string for compiling, and retain it as the value of the source property.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #216950 - Flags: review?(mrbkap)
(Assignee)

Comment 3

12 years ago
This is not security sensitive.  JS implements dependent strings, so e.g., "hello, world".substr(0, 4) is a string header that points into the "hello, world" string's buffer.  The dependent string optimization is thread- and memory-safe.  It's just hazardous when pointers to char substrings flow into bad old code that expects to find a NUL terminator.  The independent string ("hello, world" in the example) that dependent strings share *always* ends with a backstop NUL at index equal to length.

/be
Group: security
(Assignee)

Updated

12 years ago
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha

Comment 4

12 years ago
See also bug 330796, "Invalid quantifier" error message shows wrong part of regexp.
(Assignee)

Comment 5

12 years ago
(In reply to comment #4)
> See also bug 330796, "Invalid quantifier" error message shows wrong part of
> regexp.

Unrelated.  See bug 330796 comment 3.

/be

Updated

12 years ago
Keywords: testcase
Comment on attachment 216950 [details] [diff] [review]
proposed fix

r=mrbkap
Attachment #216950 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 7

12 years ago
Fixed on trunk and 1.8 branch.

/be
Blocks: 309169
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
(Assignee)

Updated

12 years ago
Attachment #216950 - Flags: approval-branch-1.8.1+

Comment 8

12 years ago
Checking in regress-332472.js;
/cvsroot/mozilla/js/tests/js1_5/Exceptions/regress-332472.js,v  <--  regress-332472.js
initial revision: 1.1
Flags: in-testsuite+

Comment 9

12 years ago
verified fixed 1.8.1/1.9a1 win/mac/linux 20060415
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1

Comment 10

11 years ago
not on 1.8.0, not making js16
No longer blocks: 309169
You need to log in before you can comment on or make changes to this bug.