10 matches found
Chrome: V8: Empty BytecodeJumpTable may lead to OOB read
In the current implementation, the bytecode generator also emits empty jump tables. https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89 So the bytecode for the example code would be generated as follows: Code: function...
Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read
Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read / In the current implementation, the bytecode generator also emits empty jump tables. https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89 So the bytecode for t...
Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read
/ In the current implementation, the bytecode generator also emits empty jump tables. https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89 So the bytecode for the example code would be generated as follows: Code: functi...
Chrome V8 Out-Of-Bounds Read
Chrome: V8: Empty BytecodeJumpTable may lead to OOB read In the current implementation, the bytecode generator also emits empty jump tables. https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89 So the bytecode for the...
Microsoft Edge Chakra - Parser::ParseCatch does not Handle (eval) Exploit
Exploit for windows platform in category dos / poc PnodeBlockType::Regular, isPattern ? ScopeTypeCatchParamPattern : ScopeTypeCatch; ... ParseNodePtr pnodePattern = ParseDestructuredLiteraltkLET, true /isDecl/, true /topLevel/, DICForceErrorOnInitializer; ... 1. "pnodeCatchScope" is a temporary...
Microsoft Edge Chakra EmitNew Integer Overflow Exploit
Google Security Research Microsoft Edge: Chakra: Integer overflow in EmitNew CVE-2017-8636 The bytecode generator uses the "EmitNew" function to handle new operators. Here's the code how the function checks for integer overflow. void EmitNewParseNode pnode, ByteCodeGenerator byteCodeGenerator,...
Microsoft Edge Chakra EmitNew Integer Overflow
Microsoft Edge: Chakra: Integer overflow in EmitNew CVE-2017-8636 The bytecode generator uses the "EmitNew" function to handle new operators. Here's the code how the function checks for integer overflow. void EmitNewParseNode pnode, ByteCodeGenerator byteCodeGenerator, FuncInfo funcInfo Js::ArgSl...
Microsoft Edge Chakra - EmitNew Integer Overflow
Microsoft Edge Chakra - EmitNew Integer Overflow sxCall.argCount; argCount++; // include "this" BOOL fSideEffectArgs = FALSE; unsigned int tmpCount = CountArgumentspnode-sxCall.pnodeArgs, &fSideEffectArgs; AssertargCount == tmpCount; if argCount != Js::ArgSlotargCount Js::Throw::OutOfMemory;...
Microsoft Edge: Chakra: Integer overflow in EmitNew(CVE-2017-8636)
The bytecode generator uses the "EmitNew" function to handle new operators. Here's the code how the function checks for integer overflow. void EmitNewParseNode pnode, ByteCodeGenerator byteCodeGenerator, FuncInfo funcInfo Js::ArgSlot argCount = pnode-sxCall.argCount; argCount++; // include "this"...
Microsoft Edge Chakra - 'EmitNew' Integer Overflow
sxCall.argCount; argCount++; // include "this" BOOL fSideEffectArgs = FALSE; unsigned int tmpCount = CountArgumentspnode-sxCall.pnodeArgs, &fSideEffectArgs; AssertargCount == tmpCount; if argCount != Js::ArgSlotargCount Js::Throw::OutOfMemory; ... "Js::ArgSlot" is a 16 bit unsigned integer type...