Closed Bug 550976 Opened 14 years ago Closed 6 years ago

No overflow check for regexp back reference and quantifier bounds

Categories

(Tamarin Graveyard :: Virtual Machine, defect)

Product:
Tamarin Graveyard
Component:
Virtual Machine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX
Milestone:
Future

People

(Reporter: cpeyer, Unassigned)

References

Details

(Whiteboard: deferral-candidate) 

Currently the vm does not check against numerical overflow in regexps in
back reference and bounds for {} quantifier. For example, the following code:
/(a)\21474836481/.test("aa")
instead of expected error about too big number gives true in shell since
21474836481 overflows as 1.

Similarly 
/a{21474836481}/.test("a")
also produces true.

Bug found in a spidermonkey regression test - see Bug 230216 for details.

I don't think that this is a security issue, but marking as so just in case - though I am unable to get the shell to crash.
Flags: in-testsuite+
Flags: flashplayer-triage+
Flags: flashplayer-qrb?
Rob, please confirm whether the overflow can lead to a security concern.
Assignee: nobody → rwinchel
Status: NEW → ASSIGNED
Flags: flashplayer-qrb? → flashplayer-qrb+
Priority: -- → P2
Target Milestone: --- → flash10.1
Whiteboard: deferral-candidate
I don't think this is a security issue. No crash, and the overflow doesn't lead to out-of-range reading/writing.
Declassifying, retargeting to Future.
Blocks: AS3_Builtins
Group: tamarin-security
Priority: P2 → --
Target Milestone: flash10.1 → Future
Assignee: rwinchel → nobody
Blocks: regex-upgrade
No assignee, updating the status.
Status: ASSIGNED → NEW
No assignee, updating the status.
No assignee, updating the status.
Tamarin is a dead project now. Mass WONTFIX.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Tamarin isn't maintained anymore. WONTFIX remaining bugs.
You need to log in before you can comment on or make changes to this bug.