Vulnerability Development mailing list archives
MSIE integer overflows
From: "Berend-Jan Wever" <SkyLined () edup tudelft nl>
Date: Sun, 11 May 2003 23:03:34 +0200
Hi,
I've been testing MSIE for integer overflows in the DOM and jscript. I've
found quite a few in one night testing. Nothing serious (yet) but since IE
seems to be riddled with them there's got to be a few that can be exploited.
A few examples of buggy jscript:
Integers seem to be 62 bit long:
var i = 32*256*256 * 256*256*256*256-1;
document.write((i==++i) + ' ' + (i==++i) + '<BR>');
prints:
false true
But array functions run into problems around 32 bits:
var i = 128*256*256*256-3;
var a = new Array();
a[i]=1;
document.write(a.push('a')+'<BR>');
document.write(a.push('b')+'<BR>');
document.write(a.push('c')+'<BR>');
document.write(a.pop()+'<BR>');
document.write(a.pop()+'<BR>');
document.write(a.pop()+'<BR>');
prints:
2147483647
-2147483648
-2147483647
undefined
b
a
I've been trying to think where I can find an integer that will cause
troubles if it overflows, but I have not found anything... anybody got any
idears ?
Cheers,
Berend-Jan Wever
http://spoor12.edup.tudelft.nl
Current thread:
- MSIE integer overflows Berend-Jan Wever (May 12)
- <Possible follow-ups>
- Re: MSIE integer overflows xenophi1e (May 13)
- Re: MSIE integer overflows Berend-Jan Wever (May 14)
- Re: MSIE integer overflows Luciano Miguel Ferreira Rocha (May 15)
- Re: MSIE integer overflows Berend-Jan Wever (May 14)
- Re: MSIE integer overflows xenophi1e (May 14)
- Re: MSIE integer overflows Berend-Jan Wever (May 15)
- RE: MSIE integer overflows Cameron Brown (May 16)
- Re: MSIE integer overflows Berend-Jan Wever (May 15)
- Re: MSIE integer overflows xenophi1e (May 16)