chakra-core/ChakraCore

Assertion failure in JavascriptArray::FindHelper()

Open

#6,541 opened on Dec 16, 2020

View on GitHub
 (5 comments) (0 reactions) (0 assignees)JavaScript (1,374 forks)batch import
Bughelp wanted

Repository metrics

Stars
 (9,000 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

Hello, executing following code in ch 1.22.24(debug), an assertion will be thrown.

var buffer = new Int8Array(8);
var func = function (elem) {
    return elem;
};

i = 9007199254740992;
Object.defineProperty(buffer, 'length', { value: i });
Array.prototype.find.call(buffer, func);

output:

ASSERTION 2480: (c:\users\sunlili\documents\workspace\jsenginesfordebug\chakracore-1.11.24\lib\runtime\library\javascriptarray.cpp, line 8558) length <= UINT_MAX
 Failure: (length <= 0xffffffff)
FATAL ERROR: ch.exe failed due to exception code c0000420

9007199254740992 is larger than Math::MAX_SAFE_INTEGER, so ch modified the length to Math::MAX_SAFE_INTEGER(9007199254740991 or 0x1F FFFF FFFF FFFF). Although length is modified larger than buffer's size, there is an index checking in BaseTypedDirectGetItem(__in uint32 index), which gets the real size of buffer, so the bug will not cause OOB access.

ISec Lab. 2020.12.16

Contributor guide