Closed
Bug 550976
Opened 15 years ago
Closed 6 years ago
No overflow check for regexp back reference and quantifier bounds
Categories
(Tamarin Graveyard :: Virtual Machine, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
Future
People
(Reporter: cpeyer, Unassigned)
References
Details
(Whiteboard: deferral-candidate)
Currently the vm does not check against numerical overflow in regexps in
back reference and bounds for {} quantifier. For example, the following code:
/(a)\21474836481/.test("aa")
instead of expected error about too big number gives true in shell since
21474836481 overflows as 1.
Similarly
/a{21474836481}/.test("a")
also produces true.
Bug found in a spidermonkey regression test - see Bug 230216 for details.
I don't think that this is a security issue, but marking as so just in case - though I am unable to get the shell to crash.
Flags: in-testsuite+
Flags: flashplayer-triage+
Flags: flashplayer-qrb?
Rob, please confirm whether the overflow can lead to a security concern.
Assignee: nobody → rwinchel
Status: NEW → ASSIGNED
Flags: flashplayer-qrb? → flashplayer-qrb+
Priority: -- → P2
Target Milestone: --- → flash10.1
Comment 2•15 years ago
|
||
I don't think this is a security issue. No crash, and the overflow doesn't lead to out-of-range reading/writing.
Declassifying, retargeting to Future.
Blocks: regex-upgrade
Comment 5•6 years ago
|
||
No assignee, updating the status.
Comment 6•6 years ago
|
||
No assignee, updating the status.
Comment 7•6 years ago
|
||
Tamarin is a dead project now. Mass WONTFIX.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Comment 8•6 years ago
|
||
Tamarin isn't maintained anymore. WONTFIX remaining bugs.
You need to log in
before you can comment on or make changes to this bug.
Description
•