Issue metadata
Sign in to add a comment
|
Chrome string RegExp match Use After Free
Reported by
riusks...@gmail.com,
Jul 18 2017
|
||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3141.7 Safari/537.36
Steps to reproduce the problem:
<script>
r = new RegExp(".?", "g");
s = Array(220000700).join('A');
result = s.match(r);
</script>
What is the expected behavior?
What went wrong?
Chrome tag process crash
Did this work before? N/A
Chrome version: 61.0.3153.4 Channel: dev
OS Version: 10.12.5
Flash Version: Shockwave Flash 26.0 r0
,
Jul 18 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5177898800775168.
,
Jul 18 2017
clusterfuzz does not reproduce this either.
,
Oct 25 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jul 18 2017