The default bug view has changed. See this FAQ.

RegExp ending in '[\\' reads past end of string

VERIFIED FIXED in mozilla1.8.1beta2

Status

()

Core
JavaScript Engine
P1
critical
VERIFIED FIXED
11 years ago
11 years ago

People

(Reporter: dveditz, Assigned: mrbkap)

Tracking

({crash, verified1.8.0.7, verified1.8.1})

Trunk
mozilla1.8.1beta2
crash, verified1.8.0.7, verified1.8.1
Points:
---
Bug Flags:
blocking1.7.14 ?
blocking-aviary1.0.9 ?
blocking1.8.1 +
blocking1.8.0.7 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low])

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
Received at the security@mozilla.org address:

a friend of mine found a bug in Mozilla's JavaScript RE Engine. We
tracked it down and wrote a reliable example that crashes FF on Linux,
Mac and Windows. All versions including CVS one seem to be affected.
While our findings didn't show any ways of exploiting it, there might be
a way to combine this with other bugs to run arbitrary code.

Ok, now for the details. The deadly code:

<script type="text/javascript">
function boo() {
  s = '';
  for (;;) {
    try {
      new RegExp(s + '[\\');
    } catch(e) {}
    s += 'q';
  }
}
</script>
<a href="javascript:boo()">die die die kill kill kill</a>

The culprit is RE parser, file mozilla/js/src/jsregexp.c, line 1337 (how
appropriate). When '[' is read, the parser loops looking for ']', but if
a '\' is encountered, the pointer is advanced twice. If '\' is the last
character in a regexp, state->cp runs over the string boundaries. Fix:
check if state->cp == state->cpend after incrementing the pointer in
line 1338.

The example code above tries building a large enough string, so that it
gets allocated in the end of heap. Then the parser runs over the end and
runs out of allocated VM, causing a segfault.

As for credits, it was discovered by CanadianGuy, and tracked down by
Girts Folkmanis and Catalin Patulea.

Have a nice day and thanks for making the best browser!  :) 

Cheers,
Girts
(Assignee)

Comment 1

11 years ago
Ick.
Status: NEW → ASSIGNED
Flags: blocking1.8.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1beta2
(Assignee)

Comment 2

11 years ago
Created attachment 231554 [details] [diff] [review]
Look before we leap
Attachment #231554 - Flags: review?(brendan)
(Reporter)

Updated

11 years ago
Flags: blocking1.8.0.7+
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Comment on attachment 231554 [details] [diff] [review]
Look before we leap

jsregexp.c, sigh.

/be
Attachment #231554 - Flags: review?(brendan)
Attachment #231554 - Flags: review+
Attachment #231554 - Flags: approval1.8.1?
(Assignee)

Comment 4

11 years ago
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Attachment #231554 - Flags: approval1.8.1? → approval1.8.1+
Flags: blocking1.8.1? → blocking1.8.1+
(Assignee)

Comment 5

11 years ago
Fix checked into the 1.8 branch.
Keywords: fixed1.8.1

Comment 6

11 years ago
Created attachment 231732 [details]
js1_5/GC/regress-346794.js

Updated

11 years ago
Flags: in-testsuite+

Comment 7

11 years ago
verified fixed 1.8, 1.9 windows/mac(ppc|tel)/linux 20060803
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
(Assignee)

Updated

11 years ago
Attachment #231554 - Flags: approval1.8.0.7?
(Reporter)

Comment 8

11 years ago
Comment on attachment 231554 [details] [diff] [review]
Look before we leap

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #231554 - Flags: approval1.8.0.7? → approval1.8.0.7+
(Assignee)

Comment 9

11 years ago
Fixed on the 1.8.0 branch.
Keywords: fixed1.8.0.7

Comment 10

11 years ago
note: js1_5/GC/regress-346794.js: result: CRASHED signal  11   type: browser for 1.8.0.7 opt/dbg macppc/linux 20060815, but I have not been able to reproduce.

Comment 11

11 years ago
verified fixed 1.8.0.7 20060818 windows/mac*/linux
Keywords: fixed1.8.0.7 → verified1.8.0.7
(Reporter)

Updated

11 years ago
Whiteboard: [sg:low]
(Reporter)

Updated

11 years ago
Group: security

Comment 12

11 years ago
Checking in js1_5/GC/regress-346794.js;
/cvsroot/mozilla/js/tests/js1_5/GC/regress-346794.js,v  <--  regress-346794.js
initial revision: 1.1
done
You need to log in before you can comment on or make changes to this bug.