Hi, I've been testing MSIE for integer overflows in the DOM and jscript. I've found quite a few in one night testing. Nothing serious (yet) but since IE seems to be riddled with them there's got to be a few that can be exploited. A few examples of buggy jscript: Integers seem to be 62 bit long: var i = 32*256*256 * 256*256*256*256-1; document.write((i==++i) + ' ' + (i==++i) + '<BR>'); prints: false true But array functions run into problems around 32 bits: var i = 128*256*256*256-3; var a = new Array(); a[i]=1; document.write(a.push('a')+'<BR>'); document.write(a.push('b')+'<BR>'); document.write(a.push('c')+'<BR>'); document.write(a.pop()+'<BR>'); document.write(a.pop()+'<BR>'); document.write(a.pop()+'<BR>'); prints: 2147483647 -2147483648 -2147483647 undefined b a I've been trying to think where I can find an integer that will cause troubles if it overflows, but I have not found anything... anybody got any idears ? Cheers, Berend-Jan Wever http://spoor12.edup.tudelft.nl
This archive was generated by hypermail 2b30 : Mon May 12 2003 - 20:26:23 PDT