BUG Microsoft Edge: Uninitialized Memory in SIMD.toLocaleString

Microsoft Edge: Uninitialized Memory in SIMD.toLocaleString
Starred by 1 user	Project Member Reported by natashenka@google.com, Oct 4	Back to list
Status: Fixed Owner: natashenka@google.com Closed: Today Cc: project-...@google.com Severity-HIgh Finder-natashenka Deadline-90 CCProjectZeroMembers Vendor-Microsoft Product-Edge Reported-2016-Oct-4 CVE-2016-7286 Sign in to add a comment	The following code occurs in JavascriptSIMDObject::ToLocaleString in JavascriptSimdObject.cpp: Var* newArgs = HeapNewArray(Var, numArgs); switch (numArgs) { case 1: break; case 2: newArgs[1] = args[1]; break; case 3: newArgs[1] = args[1]; newArgs[2] = args[2]; break; default: Assert(UNREACHED); } If the call has more than three arguments, it will fall through, leaving newArgs uninitialized. This will cause toLocaleString to be called on uninitialized memory, having a similar effect to type confusion (as integers in the memory can be confused for pointers and vice-versa). A minimal PoC is as follows, and a full PoC is attached: var v = SIMD.Int32x4(1, 2, 3, 4); v.toLocaleString(1, 2, 3, 4) This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. simd.html 183 bytes View Download Project Member Comment 1 by natashenka@google.com, Today (70 minutes ago) Labels: CVE-2016-7286 Project Member Comment 2 by natashenka@google.com, Today (68 minutes ago)