II. Description
Building RegExp Object via a malformed regular expression, such as:
var exp:RegExp=new RegExp(“(?:(VenusTech)(?2){0,1020}(b))?)”);
will normally cause memory crash because of Out-of-Bound read of stack memory.
RegExp object used a fixed size stack variable cworkspace during the compilation. Since cworkspace can get filled up by repetitions of forward references, expanding cworkspace mechanism is introduced. After a potential stack overflow is detected, the original cworkspace will be replaced by a block of newly created heap block that is large enough to hold everything. Pointers related to cworkspace will also be updated to newly created heap memory block.
The problem is, the updating of cworkspace pointers happens inside a recursively called function. A local variable of cworkspace pointer is not synchronizing upon different calls.
Further operations try to copy the content of the original cworkspace, beginning with the out-of-date local pointer of cworkspace and ending up with a pointer of newly created heap block. Since the local variable of cworkspace is still a stack pointer, it is normally in lower address than the newly created heap memory. The copying operations will read values out of bound of the stack.
VI. Credit
Wen Guanxing from Venustech ADLAB is credited for this vulnerability.