Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-81102

Integer overflow in method_set of TypedArray

    XMLWordPrintable

    Details

    • Platform/s:
      All
    • Commits:
      2d566bb65def5b759bb4d93d767c4377bc6c5e0a

      Description

       

      ReturnedValue IntrinsicTypedArrayPrototype::method_set(const FunctionObject *b, const Value *thisObject, const Value *argv, int argc)
      {
          ...
       
          Scoped<TypedArray> srcTypedArray(scope, argv[0]);
          if (!srcTypedArray) {
              ...
              double len = ScopedValue(scope, o->get(scope.engine->id_length()))->toNumber();
              uint l = (uint)len;
              ...
              if (offset + l > a->length())
                  RETURN_RESULT(scope.engine->throwRangeError(QStringLiteral("TypedArray.set: out of range")));
              ...
              while (idx < l) {
                  val = o->get(idx);
                  ...
                  val = val->convertedToNumber();
                  ...
                  a->d()->type->write(b, val);
                  ...
                  ++idx;
                  b += elementSize;
              }
              RETURN_UNDEFINED();
          }
       
          ...
      }

       
      offset + l > a->length() has an integer overflow, which will cause a heap overflow.
       
      This vulnerability can lead to code execution.
       
      Credit to de29f079ab47688a575c7a901402089d

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            ulherman Ulf Hermann
            Reporter:
            xxx xxx xxx
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes