Skip to content

Assertion Failure in JavascriptArray #6179

New issue
New issue
Closed
#6184
Closed
Assertion Failure in JavascriptArray#6179
#6184
Assignees
boingoing
@daehee87

Description

@daehee87
daehee87
opened on Jun 25, 2019

Debug build of ChakraCore shows assertion failure from the following code

ChakraCore/lib/Runtime/Library/JavascriptArray.cpp, line 5779) length <= JavascriptArray::MaxArrayLength Failure: (length <= JavascriptArray::MaxArrayLength)

I think the boundary number check has some error.
This is the PoC.

var ua = new Uint32Array(0x10);
ua.__proto__ = new Array(0xffffffff);
++ua.length;
ua.reverse();

ChakraCore: Latest, Debug build
OS: Ubuntu 18.04.2
Arch: x86_64

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions