RESOLVED DUPLICATE of bug 264278263758
CVE-2024-54658 Integer calculation error after JIT optimization. This may cause overflow or underflow, leading to exploitable vulnerability. 
https://bugs.webkit.org/show_bug.cgi?id=263758
Summary Integer calculation error after JIT optimization. This may cause overflow or ...
anbu1024
Reported 2023-10-26 19:10:28 PDT
JSC version: afe912ce640a337086d106e4853c3dabae003a38 Build options: ``` ./Tools/Scripts/build-jsc --jsc-only --debug ``` Test case: ``` function foo(arg) { const x = /\s.\W/iu; x + x; const a = 0 | arg; const b = a + 0.1; const vvv = 1020000; const c = b >> x; return c; } let x = 3; let y = -2147483647; // 0x7fffffff let apple = foo(y); print("function call before JIT opt") print(apple); for(let i=0; i<200; i++) { foo(x); } let banana = foo(y); print("function call after JIT opt") print(banana); ``` Result: ``` function call before JIT opt -2147483646 function call after JIT opt -2147483647 ```
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-10-26 19:10:48 PDT
<rdar://problem/117563215>
Yijia Huang
Comment 2 2023-11-02 16:37:19 PDT
Pull request: https://github.com/apple/WebKit/pull/909
Mark Lam
Comment 3 2024-03-19 09:13:36 PDT
Pull request https://github.com/apple/WebKit/pull/909 is invalidated. This turned out to not be a security bug after all. Due to some unfortunate paperwork shuffle, this bug actually ended up being fixed in https://bugs.webkit.org/show_bug.cgi?id=264278.
Mark Lam
Comment 4 2024-03-19 09:14:30 PDT
Sorry for the forward dupe, but https://bugs.webkit.org/show_bug.cgi?id=264278 tracks the fix. *** This bug has been marked as a duplicate of bug 264278 ***
Note You need to log in before you can comment on or make changes to this bug.