chakra: Global-buffer-overflow in ThreadContext::FindPropertyRecord

Project: https://github.com/Microsoft/ChakraCore.git Detailed report: https://oss-fuzz.com/testcase?key=5969175091609600 Project: chakra Fuzzer: jsfuzzer Job Type: asanchakra Platform Id: linux Crash Type: Global-buffer-overflow READ 8 Crash Address: 0x562fc67cdc80 Crash State:...

chakra: Global-buffer-overflow in ThreadContext::FindPropertyRecord

Project: https://github.com/Microsoft/ChakraCore.git Detailed report: https://oss-fuzz.com/testcase?key=6605684912160768 Project: chakra Fuzzer: jsfuzzer Job Type: asanchakra Platform Id: linux Crash Type: Global-buffer-overflow READ 8 Crash Address: 0x564aec3d7b98 Crash State:...

chakra: Stack-use-after-scope in Js::JavascriptFunction::CallAsConstructor

Project: https://github.com/Microsoft/ChakraCore.git Detailed report: https://oss-fuzz.com/testcase?key=4931873332527104 Project: chakra Fuzzer: jsfuzzer Job Type: asanchakra Platform Id: linux Crash Type: Stack-use-after-scope WRITE 8 Crash Address: 0x7fd69755f220 Crash State:...

Microsoft Edge Chakra JavascriptFunction::ReparseAsmJsModule Parsing Issue

Microsoft Edge: Chakra: JavascriptFunction::ReparseAsmJsModule incorrectly re-parses CVE-2017-8755 This is similar to the issue 1271 . Here's the method used to re-parse asmjs modules. void JavascriptFunction::ReparseAsmJsModuleScriptFunction functionRef ParseableFunctionInfo functionInfo =...

Microsoft Edge Chakra - JavascriptFunction::ReparseAsmJsModule Incorrectly Re-parses Exploit

Exploit for windows platform in category dos / poc GetParseableFunctionInfo; AssertfunctionInfo; functionInfo-GetFunctionBody-AddDeferParseAttribute; functionInfo-GetFunctionBody-ResetEntryPoint; functionInfo-GetFunctionBody-ResetInParams; FunctionBody funcBody = functionInfo-ParsefunctionRef; if...

Microsoft Edge Chakra - JavascriptFunction::ReparseAsmJsModule Incorrectly Re-parses

Microsoft Edge Chakra - JavascriptFunction::ReparseAsmJsModule Incorrectly Re-parses GetParseableFunctionInfo; AssertfunctionInfo; functionInfo-GetFunctionBody-AddDeferParseAttribute; functionInfo-GetFunctionBody-ResetEntryPoint; functionInfo-GetFunctionBody-ResetInParams; FunctionBody funcBody =...

Microsoft Edge Chakra - 'JavascriptFunction::ReparseAsmJsModule' Incorrectly Re-parses

GetParseableFunctionInfo; AssertfunctionInfo; functionInfo-GetFunctionBody-AddDeferParseAttribute; functionInfo-GetFunctionBody-ResetEntryPoint; functionInfo-GetFunctionBody-ResetInParams; FunctionBody funcBody = functionInfo-ParsefunctionRef; if ENABLEPROFILEINFO // This is the first call to the...

Microsoft Edge Chakra - JavascriptFunction::EntryCall Fails to Handle CallInfo Properly

Microsoft Edge Chakra - JavascriptFunction::EntryCall Fails to Handle CallInfo Properly GetScriptContext, Js::Constants::MinStackDefault; RUNTIMEARGUMENTSargs, callInfo; ScriptContext scriptContext = function-GetScriptContext; Assert!callInfo.Flags & CallFlagsNew; /// /// Check Argument0 has...

Microsoft Edge Chakra JavascriptFunction::EntryCall Mishandled CallInfo Exploit

Microsoft Edge Charka does not handle CallInfo properly in JavascriptFunction::EntryCall. Microsoft Edge: Chakra: JavascriptFunction::EntryCall doesn't handle CallInfo properly CVE-2017-8671 Here's the method. Var JavascriptFunction::EntryCallRecyclableObject function, CallInfo callInfo,...

Microsoft Edge: Chakra: JavascriptFunction::EntryCall doesn't handle CallInfo properly(CVE-2017-8671)

Here's the method. Var JavascriptFunction::EntryCallRecyclableObject function, CallInfo callInfo, ... PROBESTACKfunction-GetScriptContext, Js::Constants::MinStackDefault; RUNTIMEARGUMENTSargs, callInfo; ScriptContext scriptContext = function-GetScriptContext; Assert!callInfo.Flags & CallFlagsNew;...

Microsoft Edge Chakra - 'JavascriptFunction::EntryCall' Fails to Handle 'CallInfo' Properly

GetScriptContext, Js::Constants::MinStackDefault; RUNTIMEARGUMENTSargs, callInfo; ScriptContext scriptContext = function-GetScriptContext; Assert!callInfo.Flags & CallFlagsNew; /// /// Check Argument0 has internal Call property /// If not, throw TypeError /// if args.Info.Count == 0 ||...

Microsoft Edge Chakra JavascriptFunction::EntryCall Mishandled CallInfo

Microsoft Edge: Chakra: JavascriptFunction::EntryCall doesn't handle CallInfo properly CVE-2017-8671 Here's the method. Var JavascriptFunction::EntryCallRecyclableObject function, CallInfo callInfo, ... PROBESTACKfunction-GetScriptContext, Js::Constants::MinStackDefault; RUNTIMEARGUMENTSargs,...

Microsoft Edge - Function.apply Information Leak (MS16-119)

Microsoft Edge - Function.apply Information Leak MS16-119 var t = new Array1,2,3; function f var h = ; var a = ...arguments foritem in a var n = new Numberaitem; if n 0 n = n + 0x100000000; h.pushn.toString16; alerth; var q = f; t.length = 20; var o =...