New issue
Advanced search Search tips

Issue 745645 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jul 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Chrome string RegExp match Use After Free

Reported by riusks...@gmail.com, Jul 18 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3141.7 Safari/537.36

Steps to reproduce the problem:
<script>
r = new RegExp(".?", "g");
s = Array(220000700).join('A');
result = s.match(r);
</script>

What is the expected behavior?

What went wrong?
Chrome tag process crash

Did this work before? N/A 

Chrome version: 61.0.3153.4  Channel: dev
OS Version: 10.12.5
Flash Version: Shockwave Flash 26.0 r0
test.html
104 bytes View Download

Comment 1 by elawrence@chromium.org, Jul 18 2017

Components: Blink>JavaScript
Can you elaborate on why you believe this is a use-after-free vulnerability?

The join call creates a string of hundreds of megabytes in size, which is larger than Chrome permits, leading to 

   v8::Utils::ReportOOMFailure(char const *,bool)

... safely terminating the render process.
Project Member

Comment 2 by ClusterFuzz, Jul 18 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5177898800775168.

Comment 3 by kerrnel@chromium.org, Jul 18 2017

Status: WontFix (was: Unconfirmed)
clusterfuzz does not reproduce this either.
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 25 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment