Re: MSIE integer overflows

From: Berend-Jan Wever (SkyLinedat_private)
Date: Wed May 14 2003 - 02:30:44 PDT

Next message: Nexus: "Re: partial analysis of vulndev-1.c"

Previous message: Edinelson Keiji Shimokawa: "Re: Administrivia: List Announcement"
In reply to: xenophi1e: "Re: MSIE integer overflows"
Next in thread: Luciano Miguel Ferreira Rocha: "Re: MSIE integer overflows"
Next in thread: xenophi1e: "Re: MSIE integer overflows"
Reply: Luciano Miguel Ferreira Rocha: "Re: MSIE integer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

<snip>
> That's a strange result, but are you sure it's actually meaningful? I
> don't know Javascript to this level of detial, but I belive in C, at
> least, the results of those expressions are undefined, since the compiler
> would have no good reason to evaluate either of the prefix increments
> first.
Not true: "++i" will increase i first and return the result of that
increased i where "i++" will return i and then increase it:
-- example.js --
var i=1;
document.write(++i); // prints 2, i=2;
document.write(i++); // prints 2, i=3;
-- cut here --


<snip>
> Well the javascript interpreter seems like a not-so-good place to look.
> Really all these results say is that Javascript integers can overflow,
> which is vacuously true. As long as the interpreter handles these
> overflows sanely, they're completely benign (although the Javascript
> containging them could very well be buggy). If you can find an overflow
> in the interpreter itself, as opposed to the language it's interpreting,
> then you would have something interesting.
The interpreter is not handling them sanely, alltough I have not found
anything security related that's wrong. The examples clearly show that
the interpreter and some of the internal methods return unexpected
behaviour. I tried the array's first to see if I could read/overwrite any
memory I would normally not have access to.


> The 'undefined' result you got when pop()ing 'c' is a little strange,
> though. Why did you get an undefined result after the array index had
> already wrapped? If -2147483648 is a valid index, why isn't -2147483647?
See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht
ml/js56jsmthPop.asp
(url wrapped)
<quote>If the array is empty, undefined is returned.</quote>
So somehow it's still popping the value but then it returns "undefined",
meaning it thinks the array is empty. Btw. try a negative index on an array
(like "i[-1]"): It doesn't work, its NOT a valid index.


Cheers,

Berend-Jan Wever

Next message: Nexus: "Re: partial analysis of vulndev-1.c"
Previous message: Edinelson Keiji Shimokawa: "Re: Administrivia: List Announcement"
In reply to: xenophi1e: "Re: MSIE integer overflows"
Next in thread: Luciano Miguel Ferreira Rocha: "Re: MSIE integer overflows"
Next in thread: xenophi1e: "Re: MSIE integer overflows"
Reply: Luciano Miguel Ferreira Rocha: "Re: MSIE integer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 14 2003 - 09:09:00 PDT