Last Comment Bug 346794 - RegExp ending in '[\\' reads past end of string
: RegExp ending in '[\\' reads past end of string
: crash, verified1.8.0.7, verified1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
P1 critical (vote)
: mozilla1.8.1beta2
Assigned To: Blake Kaplan (:mrbkap)
: Jason Orendorff [:jorendorff]
Depends on:
  Show dependency treegraph
Reported: 2006-07-31 22:25 PDT by Daniel Veditz [:dveditz]
Modified: 2006-10-10 04:17 PDT (History)
3 users (show)
dveditz: blocking1.7.14?
dveditz: blocking‑aviary1.0.9?
dbaron: blocking1.8.1+
dveditz: blocking1.8.0.7+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Look before we leap (1.44 KB, patch)
2006-08-01 01:00 PDT, Blake Kaplan (:mrbkap)
brendan: review+
dveditz: approval1.8.0.7+
dbaron: approval1.8.1+
Details | Diff | Splinter Review
js1_5/GC/regress-346794.js (2.53 KB, text/plain)
2006-08-02 02:28 PDT, Bob Clary [:bc:]
no flags Details

Description User image Daniel Veditz [:dveditz] 2006-07-31 22:25:29 PDT
Received at the address:

a friend of mine found a bug in Mozilla's JavaScript RE Engine. We
tracked it down and wrote a reliable example that crashes FF on Linux,
Mac and Windows. All versions including CVS one seem to be affected.
While our findings didn't show any ways of exploiting it, there might be
a way to combine this with other bugs to run arbitrary code.

Ok, now for the details. The deadly code:

<script type="text/javascript">
function boo() {
  s = '';
  for (;;) {
    try {
      new RegExp(s + '[\\');
    } catch(e) {}
    s += 'q';
<a href="javascript:boo()">die die die kill kill kill</a>

The culprit is RE parser, file mozilla/js/src/jsregexp.c, line 1337 (how
appropriate). When '[' is read, the parser loops looking for ']', but if
a '\' is encountered, the pointer is advanced twice. If '\' is the last
character in a regexp, state->cp runs over the string boundaries. Fix:
check if state->cp == state->cpend after incrementing the pointer in
line 1338.

The example code above tries building a large enough string, so that it
gets allocated in the end of heap. Then the parser runs over the end and
runs out of allocated VM, causing a segfault.

As for credits, it was discovered by CanadianGuy, and tracked down by
Girts Folkmanis and Catalin Patulea.

Have a nice day and thanks for making the best browser!  :) 

Comment 1 User image Blake Kaplan (:mrbkap) 2006-08-01 00:45:57 PDT
Comment 2 User image Blake Kaplan (:mrbkap) 2006-08-01 01:00:33 PDT
Created attachment 231554 [details] [diff] [review]
Look before we leap
Comment 3 User image Brendan Eich [:brendan] 2006-08-01 10:37:09 PDT
Comment on attachment 231554 [details] [diff] [review]
Look before we leap

jsregexp.c, sigh.

Comment 4 User image Blake Kaplan (:mrbkap) 2006-08-01 13:01:16 PDT
Fix checked into trunk.
Comment 5 User image Blake Kaplan (:mrbkap) 2006-08-01 15:57:54 PDT
Fix checked into the 1.8 branch.
Comment 6 User image Bob Clary [:bc:] 2006-08-02 02:28:25 PDT
Created attachment 231732 [details]
Comment 7 User image Bob Clary [:bc:] 2006-08-04 10:34:18 PDT
verified fixed 1.8, 1.9 windows/mac(ppc|tel)/linux 20060803
Comment 8 User image Daniel Veditz [:dveditz] 2006-08-11 11:36:31 PDT
Comment on attachment 231554 [details] [diff] [review]
Look before we leap

approved for 1.8.0 branch, a=dveditz for drivers
Comment 9 User image Blake Kaplan (:mrbkap) 2006-08-16 12:12:39 PDT
Fixed on the 1.8.0 branch.
Comment 10 User image Bob Clary [:bc:] 2006-08-17 11:53:14 PDT
note: js1_5/GC/regress-346794.js: result: CRASHED signal  11   type: browser for opt/dbg macppc/linux 20060815, but I have not been able to reproduce.
Comment 11 User image Bob Clary [:bc:] 2006-08-20 11:28:58 PDT
verified fixed 20060818 windows/mac*/linux
Comment 12 User image Bob Clary [:bc:] 2006-10-10 04:17:50 PDT
Checking in js1_5/GC/regress-346794.js;
/cvsroot/mozilla/js/tests/js1_5/GC/regress-346794.js,v  <--  regress-346794.js
initial revision: 1.1

Note You need to log in before you can comment on or make changes to this bug.