Closed
Bug 346794
Opened 18 years ago
Closed 18 years ago
RegExp ending in '[\\' reads past end of string
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8.1beta2
People
(Reporter: dveditz, Assigned: mrbkap)
Details
(Keywords: crash, verified1.8.0.7, verified1.8.1, Whiteboard: [sg:low])
Attachments
(2 files)
1.44 KB,
patch
|
brendan
:
review+
dveditz
:
approval1.8.0.7+
dbaron
:
approval1.8.1+
|
Details | Diff | Splinter Review |
2.53 KB,
text/plain
|
Details |
Received at the security@mozilla.org address:
a friend of mine found a bug in Mozilla's JavaScript RE Engine. We
tracked it down and wrote a reliable example that crashes FF on Linux,
Mac and Windows. All versions including CVS one seem to be affected.
While our findings didn't show any ways of exploiting it, there might be
a way to combine this with other bugs to run arbitrary code.
Ok, now for the details. The deadly code:
<script type="text/javascript">
function boo() {
s = '';
for (;;) {
try {
new RegExp(s + '[\\');
} catch(e) {}
s += 'q';
}
}
</script>
<a href="javascript:boo()">die die die kill kill kill</a>
The culprit is RE parser, file mozilla/js/src/jsregexp.c, line 1337 (how
appropriate). When '[' is read, the parser loops looking for ']', but if
a '\' is encountered, the pointer is advanced twice. If '\' is the last
character in a regexp, state->cp runs over the string boundaries. Fix:
check if state->cp == state->cpend after incrementing the pointer in
line 1338.
The example code above tries building a large enough string, so that it
gets allocated in the end of heap. Then the parser runs over the end and
runs out of allocated VM, causing a segfault.
As for credits, it was discovered by CanadianGuy, and tracked down by
Girts Folkmanis and Catalin Patulea.
Have a nice day and thanks for making the best browser! :)
Cheers,
Girts
Assignee | ||
Comment 1•18 years ago
|
||
Ick.
Status: NEW → ASSIGNED
Flags: blocking1.8.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1beta2
Assignee | ||
Comment 2•18 years ago
|
||
Attachment #231554 -
Flags: review?(brendan)
Reporter | ||
Updated•18 years ago
|
Flags: blocking1.8.0.7+
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Comment 3•18 years ago
|
||
Comment on attachment 231554 [details] [diff] [review]
Look before we leap
jsregexp.c, sigh.
/be
Attachment #231554 -
Flags: review?(brendan)
Attachment #231554 -
Flags: review+
Attachment #231554 -
Flags: approval1.8.1?
Assignee | ||
Comment 4•18 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Attachment #231554 -
Flags: approval1.8.1? → approval1.8.1+
Flags: blocking1.8.1? → blocking1.8.1+
Comment 6•18 years ago
|
||
Updated•18 years ago
|
Flags: in-testsuite+
Comment 7•18 years ago
|
||
verified fixed 1.8, 1.9 windows/mac(ppc|tel)/linux 20060803
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
Assignee | ||
Updated•18 years ago
|
Attachment #231554 -
Flags: approval1.8.0.7?
Reporter | ||
Comment 8•18 years ago
|
||
Comment on attachment 231554 [details] [diff] [review]
Look before we leap
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #231554 -
Flags: approval1.8.0.7? → approval1.8.0.7+
Comment 10•18 years ago
|
||
note: js1_5/GC/regress-346794.js: result: CRASHED signal 11 type: browser for 1.8.0.7 opt/dbg macppc/linux 20060815, but I have not been able to reproduce.
Comment 11•18 years ago
|
||
verified fixed 1.8.0.7 20060818 windows/mac*/linux
Keywords: fixed1.8.0.7 → verified1.8.0.7
Reporter | ||
Updated•18 years ago
|
Whiteboard: [sg:low]
Reporter | ||
Updated•18 years ago
|
Group: security
Comment 12•18 years ago
|
||
Checking in js1_5/GC/regress-346794.js;
/cvsroot/mozilla/js/tests/js1_5/GC/regress-346794.js,v <-- regress-346794.js
initial revision: 1.1
done
You need to log in
before you can comment on or make changes to this bug.
Description
•