MSIE integer overflows

Hi,

I've been testing MSIE for integer overflows in the DOM and jscript. I've found quite a few in one night testing. Nothing serious (yet) but since IE seems to be riddled with them there's got to be a few that can be exploited.

A few examples of buggy jscript:
Integers seem to be 62 bit long:

    var i = 32*256*256 * 256*256*256*256-1;     document.write((i==++i) + ' ' + (i==++i) + '<BR>'); prints:
false true

But array functions run into problems around 32 bits:

    var i = 128*256*256*256-3;
    var a = new Array();
    a[i]=1;

    document.write(a.push('a')+'
');
    document.write(a.push('b')+'
');
    document.write(a.push('c')+'
');
    document.write(a.pop()+'
');
    document.write(a.pop()+'
');
    document.write(a.pop()+'
');

I've been trying to think where I can find an integer that will cause troubles if it overflows, but I have not found anything... anybody got any idears ?

Cheers,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Berend-Jan Wever
http://spoor12.edup.tudelft.nl Received on Mon May 12 16:52:09 2003