Closed Bug 576020 Opened 13 years ago Closed 13 years ago
OOB access when applying the slice() method to incorrect objects
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.2 (KHTML, like Gecko) Chrome/6.0.451.0 Safari/534.2 Build Identifier: Simple repro: a = Int8Array(0x1000000); b = Int32Array.prototype.slice.apply(a, [0, 0x1000000]); //We can now access 4 times more data than the array buffer contains. alert(b[0x1000000 - 1]); Clearly it can lead to arbitrary code execution. Reproducible: Always
What version of Firefox were you testing against?
Assignee: nobody → general
QA Contact: canvas.webgl → general
blocking2.0: --- → ?
Man am I starting to hate dynamic languages.. slice() just needs to check that the array type is what it expects. Will patch tomorrow.
Assignee: general → vladimir
Status: NEW → ASSIGNED
Here's the fix. We just add a check into slice().
Attachment #455574 - Flags: review?(jorendorff)
Comment on attachment 455574 [details] [diff] [review] fix I think this bug is a duplicate of bug 571014. The fix is already in. The test is welcome, though, if we don't already have a test like that.
Attachment #455574 - Flags: review?(jorendorff) → review+
Not sure if it is -- slice() is the only method on typed arrays, so the only one that can be used with apply this way. The other bug was mainly dealing with properties, and just walks the proto chain until it finds a typed array. That will still succeed in this case, but it'll still be the wrong type. Also applying slice to a non-typed-array will likely walk the proto chain up to NULL (I guess?), and then the getPrivate() would crash.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Summary: OOB access when incorrect array type created → OOB access when applying the slice() method to incorrect objects
You need to log in before you can comment on or make changes to this bug.