Vulnerability Development mailing list archives
MSIE integer overflows
From: "Berend-Jan Wever" <SkyLined () edup tudelft nl>
Date: Sun, 11 May 2003 23:03:34 +0200
Hi, I've been testing MSIE for integer overflows in the DOM and jscript. I've found quite a few in one night testing. Nothing serious (yet) but since IE seems to be riddled with them there's got to be a few that can be exploited. A few examples of buggy jscript: Integers seem to be 62 bit long: var i = 32*256*256 * 256*256*256*256-1; document.write((i==++i) + ' ' + (i==++i) + '<BR>'); prints: false true But array functions run into problems around 32 bits: var i = 128*256*256*256-3; var a = new Array(); a[i]=1; document.write(a.push('a')+'<BR>'); document.write(a.push('b')+'<BR>'); document.write(a.push('c')+'<BR>'); document.write(a.pop()+'<BR>'); document.write(a.pop()+'<BR>'); document.write(a.pop()+'<BR>'); prints: 2147483647 -2147483648 -2147483647 undefined b a I've been trying to think where I can find an integer that will cause troubles if it overflows, but I have not found anything... anybody got any idears ? Cheers, Berend-Jan Wever http://spoor12.edup.tudelft.nl
Current thread:
- MSIE integer overflows Berend-Jan Wever (May 12)
- <Possible follow-ups>
- Re: MSIE integer overflows xenophi1e (May 13)
- Re: MSIE integer overflows Berend-Jan Wever (May 14)
- Re: MSIE integer overflows Luciano Miguel Ferreira Rocha (May 15)
- Re: MSIE integer overflows Berend-Jan Wever (May 14)
- Re: MSIE integer overflows xenophi1e (May 14)
- Re: MSIE integer overflows Berend-Jan Wever (May 15)
- RE: MSIE integer overflows Cameron Brown (May 16)
- Re: MSIE integer overflows Berend-Jan Wever (May 15)
- Re: MSIE integer overflows xenophi1e (May 16)