Hosting Provided By

Re: MSIE integer overflows

From: Berend-Jan Wever <SkyLined(at)edup.tudelft.nl>
Date: Wed May 14 2003 - 05:30:44 EDT

<snip>
> That's a strange result, but are you sure it's actually meaningful? I
Not true: "++i" will increase i first and return the result of that increased i where "i++" will return i and then increase it: -- example.js --
var i=1;
document.write(++i); // prints 2, i=2;
document.write(i++); // prints 2, i=3;
-- cut here --

<snip>
> Well the javascript interpreter seems like a not-so-good place to look.
The interpreter is not handling them sanely, alltough I have not found anything security related that's wrong. The examples clearly show that the interpreter and some of the internal methods return unexpected behaviour. I tried the array's first to see if I could read/overwrite any memory I would normally not have access to.

> The 'undefined' result you got when pop()ing 'c' is a little strange,
See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht ml/js56jsmthPop.asp
(url wrapped)
<quote>If the array is empty, undefined is returned.</quote> So somehow it's still popping the value but then it returns "undefined", meaning it thinks the array is empty. Btw. try a negative index on an array (like "i[-1]"): It doesn't work, its NOT a valid index.

Cheers,

Berend-Jan Wever Received on Wed May 14 12:09:32 2003

This message: [ Message body ]
Next message: Nexus: "Re: partial analysis of vulndev-1.c"
Previous message: Joel Eriksson: "Re: vulndev-1 exploit."
In reply to xenophi1e: "Re: MSIE integer overflows"
Next in thread: xenophi1e: "Re: MSIE integer overflows"
Reply: xenophi1e: "Re: MSIE integer overflows"
Reply: Luciano Miguel Ferreira Rocha: "Re: MSIE integer overflows"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT