Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 5.14.1
Affects Version/s: 5.13.2, 5.14.0, 5.14, 5.15
Component/s: QML: Declarative and Javascript Engine
Labels:
- earmarked_by_ulf

Platform/s:

All
Commits:
2d566bb65def5b759bb4d93d767c4377bc6c5e0a

Description

ReturnedValue IntrinsicTypedArrayPrototype::method_set(const FunctionObject *b, const Value *thisObject, const Value *argv, int argc)
{
    ...
 
    Scoped<TypedArray> srcTypedArray(scope, argv[0]);
    if (!srcTypedArray) {
        ...
        double len = ScopedValue(scope, o->get(scope.engine->id_length()))->toNumber();
        uint l = (uint)len;
        ...
        if (offset + l > a->length())
            RETURN_RESULT(scope.engine->throwRangeError(QStringLiteral("TypedArray.set: out of range")));
        ...
        while (idx < l) {
            val = o->get(idx);
            ...
            val = val->convertedToNumber();
            ...
            a->d()->type->write(b, val);
            ...
            ++idx;
            b += elementSize;
        }
        RETURN_UNDEFINED();
    }
 
    ...
}

offset + l > a->length() has an integer overflow, which will cause a heap overflow.

This vulnerability can lead to code execution.

Credit to de29f079ab47688a575c7a901402089d

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

poc.js
0.1 kB
08 Jan '20 03:04

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Ulf Hermann

Reporter:: xxx xxx

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06 Jan '20 13:27

Updated:: 08 Jan '20 12:47

Resolved:: 08 Jan '20 12:47

Gerrit Reviews

There are no open Gerrit changes