Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change to address CVE-2016-7202 #2196

Merged
merged 1 commit into from
Dec 13, 2016

Conversation

suwc
Copy link

@suwc suwc commented Dec 13, 2016

Heap overflow in Array.prototype.reverse
In Array.prototype.reverse, array length is cached and used in ReverseHelper().
ReverseHelper() could invoke FillFromPrototypes(), which can cause a side-effect on the array,
including changing its length. Therefore, the use of cached array length to calculate segment left index could result in overflow. Fix by clamping array length at zero.

In Array.prototype.reverse, array length is cached and used in ReverseHelper().
ReverseHelper() could invoke FillFromPrototypes(), which can cause a side-effect on the array,
including changing its length. Therefore, the use of cached array length to calculate segment left index
could result in overflow. Fix by clamping array length at zero.
@suwc
Copy link
Author

suwc commented Dec 13, 2016

@pleath or @boingoing could you approve pls?

@boingoing
Copy link
Contributor

LGTM

@suwc suwc changed the title Change to address CVE-2016-7200 Change to address CVE-2016-7202 Dec 13, 2016
@chakrabot chakrabot merged commit eecf271 into chakra-core:release/1.2 Dec 13, 2016
chakrabot pushed a commit that referenced this pull request Dec 13, 2016
Merge pull request #2196 from suwc:build/suwc/bugfix

Heap overflow in Array.prototype.reverse
In Array.prototype.reverse, array length is cached and used in ReverseHelper().
ReverseHelper() could invoke FillFromPrototypes(), which can cause a side-effect on the array,
including changing its length. Therefore, the use of cached array length to calculate segment left index could result in overflow. Fix by clamping array length at zero.
chakrabot pushed a commit that referenced this pull request Dec 13, 2016
Merge pull request #2196 from suwc:build/suwc/bugfix

Heap overflow in Array.prototype.reverse
In Array.prototype.reverse, array length is cached and used in ReverseHelper().
ReverseHelper() could invoke FillFromPrototypes(), which can cause a side-effect on the array,
including changing its length. Therefore, the use of cached array length to calculate segment left index could result in overflow. Fix by clamping array length at zero.
chakrabot pushed a commit that referenced this pull request Dec 13, 2016
Merge pull request #2196 from suwc:build/suwc/bugfix

Heap overflow in Array.prototype.reverse
In Array.prototype.reverse, array length is cached and used in ReverseHelper().
ReverseHelper() could invoke FillFromPrototypes(), which can cause a side-effect on the array,
including changing its length. Therefore, the use of cached array length to calculate segment left index could result in overflow. Fix by clamping array length at zero.
chakrabot pushed a commit that referenced this pull request Dec 13, 2016
…CVE-2016-7202

Merge pull request #2196 from suwc:build/suwc/bugfix

Heap overflow in Array.prototype.reverse
In Array.prototype.reverse, array length is cached and used in ReverseHelper().
ReverseHelper() could invoke FillFromPrototypes(), which can cause a side-effect on the array,
including changing its length. Therefore, the use of cached array length to calculate segment left index could result in overflow. Fix by clamping array length at zero.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants