JScript 5.7 (MSIE 8) RegExpBase::FBadHeader regular expression use-after-free

October 13, 2015 007admin Leave a comment

Posted by Berend-Jan Wever on Oct 13

Recompiling the regular expression pattern during a replace can cause
the code
to reuse a freed string, but only if the string is freed from the cache by
allocating and freeing a number of strings of certain size.

CVE-2015-2482:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2482
ZDI-15-515: http://www.zerodayinitiative.com/advisories/ZDI-15-515/
MS15-108: https://technet.microsoft.com/en-us/library/security/MS15-108

Repro:…

007 Software

JScript 5.7 (MSIE 8) RegExpBase::FBadHeader regular expression use-after-free

Leave a Reply Cancel reply

Software and Security Information