Recently, I have found an interesting crash in Firefox and decided to investigate more. So I decided to Google for it and it appears that the issue is already known and was reported few months ago to Mozilla. However, the bug is not fixed yet (at least in FF 26) and as a matter of personal exercise, I have decided to dig a little deeper and collect some notes which I am sharing in this blog post. Here is a brief analysis of what I have found, thanks also to the pointers given from my friend Andrzej Dereszowski . This is the crash PoC: <html> <head> <script> function main() { regexp = /(?!Z)r{2147483647,}M\d/; "A".match(regexp); } main(); </script> </head> <body> </body> </html> Below, a windbg screen shot showing the crash on Firefox 25 / Windows 8.1 (64bit): At this stage, we can infer that an overflow occurred and as a measure of protection FF decided to crash instead of gracefully handle the is...
Security research, divulgations and food for thought.