Closed Bug 1124778 Opened 10 years ago Closed 10 years ago

Array concat integer overflow

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
35 Branch
Platform:
x86_64
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 688852

People

(Reporter: abbGZcvu_bugzilla.mozilla.org, Assigned: sfink)

Details

Attachments

(1 file)

Check array lengths in array_concat
2.14 KB, patch
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Build ID: 20150108202552 Steps to reproduce: Array concat can overflow the 32-bit unsigned integer in which the length of the array is stored. I haven't found a way to exploit this, but I am marking this as a security issue just in case there is something I haven't thought of. Repro: a = new Array(0xFFFFFFFF); console.log(b.length.toString(16)); try {a.push(1);} catch (e) { console.log("Can't push");} try {b=a.concat(1,2,3);} catch (e) { console.log("Can't concat");} console.log(b.length.toString(16)); console.log(b[0]); Actual results: "0" "Can't push" "2" 2 Expected results: "FFFFFFFF" "Can't push" "Can't concat" "FFFFFFFF" undefined
Doh! Code should have read: a = new Array(0xFFFFFFFF); console.log(a.length.toString(16)); /// <<< NOT "a" not "b" as earlier. try {a.push(1);} catch (e) { console.log("Can't push");} try {b=a.concat(1,2,3);} catch (e) { console.log("Can't concat");} console.log(b.length.toString(16)); console.log(b[0]); Actual result should be: "ffffffff" "Can't push" "2" 2 Sorry for the confusion.
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Steve, could you look at this? Thanks.
Flags: needinfo?(sphink)
Yeah, we're just doing completely the wrong thing in array_concat. Unfortunately, I'm very uncertain as to what the right way to handle this is at the present time. This patch does a minimal change that tries to follow the ES6 spec, only using 2^32-1 in place of ES6's 2^53-1. (Our arrays use 2^32-1 everywhere, so I'm not going to dive into that for this bug.) array_push currently does something different, where it creates named properties on int32 overflow but then throws a TypeError too. Apparently, that's what ES5 specified. If Waldo gives me f+ for this, I'll add a test. I don't see any way this could be exploitable, so I think this bug can be opened up. There are no out of bounds accesses going on, just artificially low lengths.
Attachment #8555487 - Flags: feedback?(jwalden+bmo)
Assignee: nobody → sphink
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(sphink)
Attachment #8555487 - Flags: feedback?(jwalden+bmo)
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: