-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
integer overflow and buffer overflow #6
Comments
Appears to be a duplicate of #5. |
This was referenced May 11, 2020
This was referenced Oct 20, 2020
This was referenced Oct 31, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Enviroment
poc:
vulnerability description:
The code that generated the vulnerability is on line src / jsiObj.c: 428, the code is as follows:
![image](https://user-images.githubusercontent.com/13704697/79126706-07c2cd80-7dd3-11ea-9cc6-39b95c4b2830.png)
![image](https://user-images.githubusercontent.com/13704697/79126739-1c9f6100-7dd3-11ea-8b53-8946ed5ca43b.png)
len
is the length of the Array, and the PoC is initially set to a maximum value byo.length
. After the calculation of the code, nsiz is calculated as a negative number, which can bypass the two checks of line 421 and line 425.The affected code is as follows:
obj-> arr
will get a smaller size of heap space, and then memset assigns a value to the space pointed to byobj-> arr + obj-> arrMaxSize
, but this time has exceeded the actual heap range ofobj-> arr
, causing heap overflow .The text was updated successfully, but these errors were encountered: