Re: MSIE integer overflows

From: Luciano Miguel Ferreira Rocha (strangeat_private-ip.org)
Date: Wed May 14 2003 - 10:10:46 PDT

Next message: Bernie Cosell: "vulndev-1 and a suggestion about the ensuing discussion"

Previous message: Berend-Jan Wever: "Re: MSIE integer overflows"
In reply to: Berend-Jan Wever: "Re: MSIE integer overflows"
Next in thread: xenophi1e: "Re: MSIE integer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, May 14, 2003 at 11:30:44AM +0200, Berend-Jan Wever wrote:
> <snip>
> > That's a strange result, but are you sure it's actually meaningful? I
> > don't know Javascript to this level of detial, but I belive in C, at
> > least, the results of those expressions are undefined, since the compiler
> > would have no good reason to evaluate either of the prefix increments
> > first.
> Not true: "++i" will increase i first and return the result of that
> increased i where "i++" will return i and then increase it:
Actually, you misunderstood him.

While ++i and i++ are distinct and perfectly defined,
"a = ++i + 2 * --i" isn't. As isn't "printf("%d %d\n", ++i, i++)".

In the second example, what should the compiler execute first? ++i or i++?

I believe C standards advised against that and let it be an undefined
behaviour. I don't know about C99, neither javascript.

Regards,
Luciano Rocha

> -- example.js --
> var i=1;
> document.write(++i); // prints 2, i=2;
> document.write(i++); // prints 2, i=3;
> -- cut here --
> 
> 
> <snip>
> > Well the javascript interpreter seems like a not-so-good place to look.
> > Really all these results say is that Javascript integers can overflow,
> > which is vacuously true. As long as the interpreter handles these
> > overflows sanely, they're completely benign (although the Javascript
> > containging them could very well be buggy). If you can find an overflow
> > in the interpreter itself, as opposed to the language it's interpreting,
> > then you would have something interesting.
> The interpreter is not handling them sanely, alltough I have not found
> anything security related that's wrong. The examples clearly show that
> the interpreter and some of the internal methods return unexpected
> behaviour. I tried the array's first to see if I could read/overwrite any
> memory I would normally not have access to.
> 
> 
> > The 'undefined' result you got when pop()ing 'c' is a little strange,
> > though. Why did you get an undefined result after the array index had
> > already wrapped? If -2147483648 is a valid index, why isn't -2147483647?
> See
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht
> ml/js56jsmthPop.asp
> (url wrapped)
> <quote>If the array is empty, undefined is returned.</quote>
> So somehow it's still popping the value but then it returns "undefined",
> meaning it thinks the array is empty. Btw. try a negative index on an array
> (like "i[-1]"): It doesn't work, its NOT a valid index.
> 
> 
> Cheers,
> 
> Berend-Jan Wever

Next message: Bernie Cosell: "vulndev-1 and a suggestion about the ensuing discussion"
Previous message: Berend-Jan Wever: "Re: MSIE integer overflows"
In reply to: Berend-Jan Wever: "Re: MSIE integer overflows"
Next in thread: xenophi1e: "Re: MSIE integer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 15 2003 - 23:38:30 PDT