New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
integer overflow #10
Comments
pcmacdon
pushed a commit
that referenced
this issue
Apr 13, 2020
FossilOrigin-Name: 50642d64b8f0a4e62df68e59fcb2ef0923c3dbec8fc8a15d38b1ddbe655c38d6
|
This was a general problem with Array using .length when it shouldn't. Should be fixed. |
This was referenced Oct 20, 2020
This was referenced Oct 31, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Enviroment
poc:
The vulnerability code is in line src / jsiArray.c + 414, the function

jsi_ArrayMapCmd, the vulnerability code is as follows:The
curlenhere is also the size of the array, and can be arbitrarily set in the js code, for example in the pocThe affected code is in the analytic function
Jsi_ObjSetLength, as shown in the figure:The actual array size len is larger than
obj-> arrMaxSize, which triggers the assert.The text was updated successfully, but these errors were encountered: