Vulnerability Development mailing list archives
Re: MSIE integer overflows
From: xenophi1e <oliver.lavery () sympatico ca>
Date: 13 May 2003 16:31:25 -0000
In-Reply-To: <000501c31800$c924bac0$0100a8c0@grotedoos>
I've been testing MSIE for integer overflows in the DOM and jscript. I've found quite a few in one night testing. Nothing serious (yet) but since A few examples of buggy jscript: Integers seem to be 62 bit long: var i = 32*256*256 * 256*256*256*256-1; document.write((i==++i) + ' ' + (i==++i) + '<BR>'); prints: false true
That's a strange result, but are you sure it's actually meaningful? I don't know Javascript to this level of detial, but I belive in C, at least, the results of those expressions are undefined, since the compiler would have no good reason to evaluate either of the prefix increments first.
But array functions run into problems around 32 bits: I've been trying to think where I can find an integer that will cause troubles if it overflows, but I have not found anything... anybody got
Well the javascript interpreter seems like a not-so-good place to look. Really all these results say is that Javascript integers can overflow, which is vacuously true. As long as the interpreter handles these overflows sanely, they're completely benign (although the Javascript containging them could very well be buggy). If you can find an overflow in the interpreter itself, as opposed to the language it's interpreting, then you would have something interesting. The 'undefined' result you got when pop()ing 'c' is a little strange, though. Why did you get an undefined result after the array index had already wrapped? If -2147483648 is a valid index, why isn't -2147483647? Cheers, ~ol
Current thread:
- MSIE integer overflows Berend-Jan Wever (May 12)
- <Possible follow-ups>
- Re: MSIE integer overflows xenophi1e (May 13)
- Re: MSIE integer overflows Berend-Jan Wever (May 14)
- Re: MSIE integer overflows Luciano Miguel Ferreira Rocha (May 15)
- Re: MSIE integer overflows Berend-Jan Wever (May 14)
- Re: MSIE integer overflows xenophi1e (May 14)
- Re: MSIE integer overflows Berend-Jan Wever (May 15)
- RE: MSIE integer overflows Cameron Brown (May 16)
- Re: MSIE integer overflows Berend-Jan Wever (May 15)
- Re: MSIE integer overflows xenophi1e (May 16)