Vulnerability Development mailing list archives
Re: MSIE integer overflows
From: "Berend-Jan Wever" <SkyLined () edup tudelft nl>
Date: Wed, 14 May 2003 11:30:44 +0200
<snip>
That's a strange result, but are you sure it's actually meaningful? I don't know Javascript to this level of detial, but I belive in C, at least, the results of those expressions are undefined, since the compiler would have no good reason to evaluate either of the prefix increments first.
Not true: "++i" will increase i first and return the result of that increased i where "i++" will return i and then increase it: -- example.js -- var i=1; document.write(++i); // prints 2, i=2; document.write(i++); // prints 2, i=3; -- cut here -- <snip>
Well the javascript interpreter seems like a not-so-good place to look. Really all these results say is that Javascript integers can overflow, which is vacuously true. As long as the interpreter handles these overflows sanely, they're completely benign (although the Javascript containging them could very well be buggy). If you can find an overflow in the interpreter itself, as opposed to the language it's interpreting, then you would have something interesting.
The interpreter is not handling them sanely, alltough I have not found anything security related that's wrong. The examples clearly show that the interpreter and some of the internal methods return unexpected behaviour. I tried the array's first to see if I could read/overwrite any memory I would normally not have access to.
The 'undefined' result you got when pop()ing 'c' is a little strange, though. Why did you get an undefined result after the array index had already wrapped? If -2147483648 is a valid index, why isn't -2147483647?
See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht ml/js56jsmthPop.asp (url wrapped) <quote>If the array is empty, undefined is returned.</quote> So somehow it's still popping the value but then it returns "undefined", meaning it thinks the array is empty. Btw. try a negative index on an array (like "i[-1]"): It doesn't work, its NOT a valid index. Cheers, Berend-Jan Wever
Current thread:
- MSIE integer overflows Berend-Jan Wever (May 12)
- <Possible follow-ups>
- Re: MSIE integer overflows xenophi1e (May 13)
- Re: MSIE integer overflows Berend-Jan Wever (May 14)
- Re: MSIE integer overflows Luciano Miguel Ferreira Rocha (May 15)
- Re: MSIE integer overflows Berend-Jan Wever (May 14)
- Re: MSIE integer overflows xenophi1e (May 14)
- Re: MSIE integer overflows Berend-Jan Wever (May 15)
- RE: MSIE integer overflows Cameron Brown (May 16)
- Re: MSIE integer overflows Berend-Jan Wever (May 15)
- Re: MSIE integer overflows xenophi1e (May 16)