|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
MSIE integer overflows
From: Berend-Jan Wever (SkyLined
edup.tudelft.nl)
Date: Sun May 11 2003 - 16:03:34 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I've been testing MSIE for integer overflows in the DOM and jscript. I've
found quite a few in one night testing. Nothing serious (yet) but since IE
seems to be riddled with them there's got to be a few that can be exploited.
A few examples of buggy jscript:
Integers seem to be 62 bit long:
var i = 32*256*256 * 256*256*256*256-1;
document.write((i==++i) + ' ' + (i==++i) + '<BR>');
prints:
false true
But array functions run into problems around 32 bits:
var i = 128*256*256*256-3;
var a = new Array();
a[i]=1;
document.write(a.push('a')+'<BR>');
document.write(a.push('b')+'<BR>');
document.write(a.push('c')+'<BR>');
document.write(a.pop()+'<BR>');
document.write(a.pop()+'<BR>');
document.write(a.pop()+'<BR>');
prints:
2147483647
-2147483648
-2147483647
undefined
b
a
I've been trying to think where I can find an integer that will cause
troubles if it overflows, but I have not found anything... anybody got any
idears ?
Cheers,
Berend-Jan Wever
http://spoor12.edup.tudelft.nl
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]