MSIE integer overflows

• Previous message: Kris Matthews: "Re: Buffer overflow in Explorer.exe"
• Next in thread: xenophi1e: "Re: MSIE integer overflows"
• Reply: xenophi1e: "Re: MSIE integer overflows"
• Reply: xenophi1e: "Re: MSIE integer overflows"
• Reply: xenophi1e: "Re: MSIE integer overflows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I've been testing MSIE for integer overflows in the DOM and jscript. I've
found quite a few in one night testing. Nothing serious (yet) but since IE
seems to be riddled with them there's got to be a few that can be exploited.

A few examples of buggy jscript:
Integers seem to be 62 bit long:
    var i = 32*256*256 * 256*256*256*256-1;
    document.write((i==++i) + ' ' + (i==++i) + '<BR>');
prints:
false true

But array functions run into problems around 32 bits:
    var i = 128*256*256*256-3;
    var a = new Array();
    a[i]=1;
    document.write(a.push('a')+'<BR>');
    document.write(a.push('b')+'<BR>');
    document.write(a.push('c')+'<BR>');
    document.write(a.pop()+'<BR>');
    document.write(a.pop()+'<BR>');
    document.write(a.pop()+'<BR>');
prints:
2147483647
-2147483648
-2147483647
undefined
b
a

I've been trying to think where I can find an integer that will cause
troubles if it overflows, but I have not found anything... anybody got any
idears ?

Cheers,


Berend-Jan Wever
http://spoor12.edup.tudelft.nl

• Next message: Dave McKinney: "Administrivia: List Announcement"
• Previous message: Kris Matthews: "Re: Buffer overflow in Explorer.exe"
• Next in thread: xenophi1e: "Re: MSIE integer overflows"
• Reply: xenophi1e: "Re: MSIE integer overflows"
• Reply: xenophi1e: "Re: MSIE integer overflows"
• Reply: xenophi1e: "Re: MSIE integer overflows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 12 2003 - 20:26:23 PDT