Microsoft Edge Chakra chakra!Js::GlobalObject Integer Overflow

Microsoft Edge Chakra suffers from a chakra!Js::GlobalObject internet overflow vulnerability.


MD5 | 27bc98a6edda5dac2e242517a2a0c314

<!--
Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team

There is a classic heap overflow when eval a string which large enough in Chakra!
This issue can be reproduced steadly in uptodate Edge in Win10 WIP.
An exception will occur immediatly when opening POC.html in Edge.



//ChakraCore-master\lib\Runtime\Library\GlobalObject.cpp

ScriptFunction* GlobalObject::DefaultEvalHelper(ScriptContext* scriptContext, const char16 *source, int sourceLength, ModuleID moduleID, uint32 grfscr, LPCOLESTR pszTitle, BOOL registerDocument, BOOL isIndirect, BOOL strictMode)
{
Assert(sourceLength >= 0);
AnalysisAssert(scriptContext);
if (scriptContext->GetThreadContext()->EvalDisabled())
{
throw Js::EvalDisabledException();
}

#ifdef PROFILE_EXEC
scriptContext->ProfileBegin(Js::EvalCompilePhase);
Related Posts

Comments