10 matches found
CVE-2025-62490
In quickjs, in jsprintobject, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during jsprintvalue, during which the array could get resized and len1 become ou...
DEBIAN-CVE-2025-62490
In quickjs, in jsprintobject, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during jsprintvalue, during which the array could get resized and len1 become ou...
CVE-2024-26981
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix OOB in nilfssetdetype The size of the nilfstypebymode array in the fs/nilfs2/dir.c file is defined as "SIFMT SSHIFT", but the nilfssetdetype function, which uses this array, specifies the index to read from the array ...
CVE-2024-26981
CVE-2024-26981 affects the Linux kernel nilfs2 implementation. The flaw is an out-of-bounds access in nilfs_set_de_type: the index into nilfs_type_by_mode is computed as (mode & S_IFMT) >> S_SHIFT, but the array size is defined as S_IFMT >> S_SHIFT, which can produce an OOB when mode ...
CVE-2020-1900
When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it. Otherwise the array might resize, invalidating previously stored references. This pre-reservation was not occurring in HHVM prior to v4.32....
Design/Logic Flaw
When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it. Otherwise the array might resize, invalidating previously stored references. This pre-reservation was not occurring in HHVM prior to v4.32....
CVE-2020-1900
HHVM (HipHop VM) has a vulnerability CVE-2020-1900 affecting unserialization of objects with dynamic properties. The issue occurs when HHVM does not pre-reserve the full size of the dynamic property array before inserting into it, causing potential array resizing that can invalidate previously st...
Design/Logic Flaw
By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird 68.6, Firefox 74, Firefox ESR68.6...
VBScript - rtFilter Out-of-Bounds Read
VBScript - rtFilter Out-of-Bounds Read On Error Resume Next Class class1 Public Default Property Get x ReDim arr1 End Property End Class set c = new class1 arr = Array"b", "b", "a", "a", c Call Filterarr, "a" !-- ===============================================================================...
UBUNTU-CVE-2018-14326
In MP4v2 2.0.0, there is an integer overflow with resultant memory corruption when resizing MP4Array for the ftyp atom in mp4array.h...