-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
integer overflow and buffer overflow #5
Comments
pcmacdon
pushed a commit
that referenced
this issue
Apr 13, 2020
…r overflow and buffer overflow #5". FossilOrigin-Name: 8c46a1d465b358110dcfb271721d35fe843a1b52f2fa24ccc10094eb8aaf6fe4
As of the previous commit the above reported bug is no longer reproducible. |
This was referenced Apr 14, 2020
Closed
This was referenced May 11, 2020
This was referenced Oct 20, 2020
This was referenced Oct 31, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Enviroment
poc:
vulnerability description:
In src/jsiObj.c:428,
![image](https://user-images.githubusercontent.com/13704697/79126462-8d924900-7dd2-11ea-93ab-89254ffcc501.png)
len
is the length of the Array, and the PoC is initially set to a maximum value by o.length. After the calculation of the code, nsiz is calculated as a negative number, which can bypass the two checks of line 421 and line 425.obj-> arr
will get a smaller size of heap space, and then memset assigns a value to the space pointed to byobj-> arr + obj-> arrMaxSize
, but this time has exceeded the actual heap range ofobj-> arr
, causing heap overflow .The text was updated successfully, but these errors were encountered: