Closed Bug 346794 Opened 14 years ago Closed 14 years ago

RegExp ending in '[\\' reads past end of string

Categories

(Core :: JavaScript Engine, defect, P1, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.8.1beta2

People

(Reporter: dveditz, Assigned: mrbkap)

Details

(Keywords: crash, verified1.8.0.7, verified1.8.1, Whiteboard: [sg:low])

Attachments

(2 files)

Received at the security@mozilla.org address:

a friend of mine found a bug in Mozilla's JavaScript RE Engine. We
tracked it down and wrote a reliable example that crashes FF on Linux,
Mac and Windows. All versions including CVS one seem to be affected.
While our findings didn't show any ways of exploiting it, there might be
a way to combine this with other bugs to run arbitrary code.

Ok, now for the details. The deadly code:

<script type="text/javascript">
function boo() {
  s = '';
  for (;;) {
    try {
      new RegExp(s + '[\\');
    } catch(e) {}
    s += 'q';
  }
}
</script>
<a href="javascript:boo()">die die die kill kill kill</a>

The culprit is RE parser, file mozilla/js/src/jsregexp.c, line 1337 (how
appropriate). When '[' is read, the parser loops looking for ']', but if
a '\' is encountered, the pointer is advanced twice. If '\' is the last
character in a regexp, state->cp runs over the string boundaries. Fix:
check if state->cp == state->cpend after incrementing the pointer in
line 1338.

The example code above tries building a large enough string, so that it
gets allocated in the end of heap. Then the parser runs over the end and
runs out of allocated VM, causing a segfault.

As for credits, it was discovered by CanadianGuy, and tracked down by
Girts Folkmanis and Catalin Patulea.

Have a nice day and thanks for making the best browser!  :) 

Cheers,
Girts
Ick.
Status: NEW → ASSIGNED
Flags: blocking1.8.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1beta2
Attachment #231554 - Flags: review?(brendan)
Flags: blocking1.8.0.7+
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Comment on attachment 231554 [details] [diff] [review]
Look before we leap

jsregexp.c, sigh.

/be
Attachment #231554 - Flags: review?(brendan)
Attachment #231554 - Flags: review+
Attachment #231554 - Flags: approval1.8.1?
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Attachment #231554 - Flags: approval1.8.1? → approval1.8.1+
Flags: blocking1.8.1? → blocking1.8.1+
Fix checked into the 1.8 branch.
Keywords: fixed1.8.1
Flags: in-testsuite+
verified fixed 1.8, 1.9 windows/mac(ppc|tel)/linux 20060803
Status: RESOLVED → VERIFIED
Attachment #231554 - Flags: approval1.8.0.7?
Comment on attachment 231554 [details] [diff] [review]
Look before we leap

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #231554 - Flags: approval1.8.0.7? → approval1.8.0.7+
Fixed on the 1.8.0 branch.
Keywords: fixed1.8.0.7
note: js1_5/GC/regress-346794.js: result: CRASHED signal  11   type: browser for 1.8.0.7 opt/dbg macppc/linux 20060815, but I have not been able to reproduce.
verified fixed 1.8.0.7 20060818 windows/mac*/linux
Whiteboard: [sg:low]
Group: security
Checking in js1_5/GC/regress-346794.js;
/cvsroot/mozilla/js/tests/js1_5/GC/regress-346794.js,v  <--  regress-346794.js
initial revision: 1.1
done
You need to log in before you can comment on or make changes to this bug.