Microsoft Edge Chakra - 'chakra!Js::GlobalObject' Integer overflow

EDB-ID: 42465
Author: Huang Anwen
Published: 2017-08-17
CVE: CVE-2017-8641
Type: Dos
Platform: Windows
Vulnerable App: N/A

 Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team 

There is a classic heap overflow when eval a string which large enough in Chakra!
This issue can be reproduced steadly in uptodate Edge in Win10 WIP.
An exception will occur immediatly when opening POC.html in Edge.


ScriptFunction* GlobalObject::DefaultEvalHelper(ScriptContext* scriptContext, const char16 *source, int sourceLength, ModuleID moduleID, uint32 grfscr, LPCOLESTR pszTitle, BOOL registerDocument, BOOL isIndirect, BOOL strictMode)
Assert(sourceLength >= 0);
if (scriptContext->GetThreadContext()->EvalDisabled())
throw Js::EvalDisabledException();

Related Posts