Full Disclosure mailing list archives
Safari javascript array overflow
From: kang <kang () insecure ws>
Date: Sat, 06 Mar 2004 22:40:54 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.insecure.ws/article.php?story=2004021918172533 A problem exists in the way Safari Javascript engine allocates Arrays. For example, allocating a too big array and writing into it, will segfault Safari. There is no known way to execute remote code with this vulnerability as the date of this advisory. Konqueror doesn't seems to be vulnerable. - -- Adv: safari_0x03 Release Date: 06/04/04 Affected Products: Safari =< 1.2 Impact: Denial of Service, Possibly exploitation Severity: Remote, medium. Vendor: Notified (19/03/04) Author: kang, kang () insecure ws Simple allocation management error trigger: ~ var a = new Array(99999999999999999999999); ~ a[0+5]="AAAAA"; Another possibilty...;) var bam = new Array(0x23000000); bam.sort(new Function("return 1")); There are some other possibilities :> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFASkVmxt5Ja4aWvZMRAtG7AKCOz+licSBi/NpYe4qNu4YX468mCACdF4LA DOrzcVourknKaBqvWFAlaQI= =VISk -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Safari javascript array overflow kang (Mar 06)
- <Possible follow-ups>
- Re: Safari javascript array overflow kr-ze (Mar 08)