Last Comment Bug 346794 - RegExp ending in '[\\' reads past end of string
: RegExp ending in '[\\' reads past end of string
Status: VERIFIED FIXED
[sg:low]
: crash, verified1.8.0.7, verified1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.8.1beta2
Assigned To: Blake Kaplan (:mrbkap)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-31 22:25 PDT by Daniel Veditz [:dveditz]
Modified: 2006-10-10 04:17 PDT (History)
3 users (show)
dveditz: blocking1.7.14?
dveditz: blocking‑aviary1.0.9?
dbaron: blocking1.8.1+
dveditz: blocking1.8.0.7+
bob: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Look before we leap (1.44 KB, patch)
2006-08-01 01:00 PDT, Blake Kaplan (:mrbkap)
brendan: review+
dveditz: approval1.8.0.7+
dbaron: approval1.8.1+
Details | Diff | Splinter Review
js1_5/GC/regress-346794.js (2.53 KB, text/plain)
2006-08-02 02:28 PDT, Bob Clary [:bc:]
no flags Details

Description Daniel Veditz [:dveditz] 2006-07-31 22:25:29 PDT
Received at the security@mozilla.org address:

a friend of mine found a bug in Mozilla's JavaScript RE Engine. We
tracked it down and wrote a reliable example that crashes FF on Linux,
Mac and Windows. All versions including CVS one seem to be affected.
While our findings didn't show any ways of exploiting it, there might be
a way to combine this with other bugs to run arbitrary code.

Ok, now for the details. The deadly code:

<script type="text/javascript">
function boo() {
  s = '';
  for (;;) {
    try {
      new RegExp(s + '[\\');
    } catch(e) {}
    s += 'q';
  }
}
</script>
<a href="javascript:boo()">die die die kill kill kill</a>

The culprit is RE parser, file mozilla/js/src/jsregexp.c, line 1337 (how
appropriate). When '[' is read, the parser loops looking for ']', but if
a '\' is encountered, the pointer is advanced twice. If '\' is the last
character in a regexp, state->cp runs over the string boundaries. Fix:
check if state->cp == state->cpend after incrementing the pointer in
line 1338.

The example code above tries building a large enough string, so that it
gets allocated in the end of heap. Then the parser runs over the end and
runs out of allocated VM, causing a segfault.

As for credits, it was discovered by CanadianGuy, and tracked down by
Girts Folkmanis and Catalin Patulea.

Have a nice day and thanks for making the best browser!  :) 

Cheers,
Girts
Comment 1 Blake Kaplan (:mrbkap) 2006-08-01 00:45:57 PDT
Ick.
Comment 2 Blake Kaplan (:mrbkap) 2006-08-01 01:00:33 PDT
Created attachment 231554 [details] [diff] [review]
Look before we leap
Comment 3 Brendan Eich [:brendan] 2006-08-01 10:37:09 PDT
Comment on attachment 231554 [details] [diff] [review]
Look before we leap

jsregexp.c, sigh.

/be
Comment 4 Blake Kaplan (:mrbkap) 2006-08-01 13:01:16 PDT
Fix checked into trunk.
Comment 5 Blake Kaplan (:mrbkap) 2006-08-01 15:57:54 PDT
Fix checked into the 1.8 branch.
Comment 6 Bob Clary [:bc:] 2006-08-02 02:28:25 PDT
Created attachment 231732 [details]
js1_5/GC/regress-346794.js
Comment 7 Bob Clary [:bc:] 2006-08-04 10:34:18 PDT
verified fixed 1.8, 1.9 windows/mac(ppc|tel)/linux 20060803
Comment 8 Daniel Veditz [:dveditz] 2006-08-11 11:36:31 PDT
Comment on attachment 231554 [details] [diff] [review]
Look before we leap

approved for 1.8.0 branch, a=dveditz for drivers
Comment 9 Blake Kaplan (:mrbkap) 2006-08-16 12:12:39 PDT
Fixed on the 1.8.0 branch.
Comment 10 Bob Clary [:bc:] 2006-08-17 11:53:14 PDT
note: js1_5/GC/regress-346794.js: result: CRASHED signal  11   type: browser for 1.8.0.7 opt/dbg macppc/linux 20060815, but I have not been able to reproduce.
Comment 11 Bob Clary [:bc:] 2006-08-20 11:28:58 PDT
verified fixed 1.8.0.7 20060818 windows/mac*/linux
Comment 12 Bob Clary [:bc:] 2006-10-10 04:17:50 PDT
Checking in js1_5/GC/regress-346794.js;
/cvsroot/mozilla/js/tests/js1_5/GC/regress-346794.js,v  <--  regress-346794.js
initial revision: 1.1
done

Note You need to log in before you can comment on or make changes to this bug.