Jsish Type Confusion Vulnerability Leading to Potential Arbitrary Code Execution

A type confusion vulnerability has been identified in Jsish version 2.0. This issue allows for incorrect control flow during the execution of the OP_NEXT opcode. The vulnerability arises when an 'instanceof' expression uses an array element access as the left operand within a for-in loop. The implementation of the instructions leaves an extra array reference on the stack instead of consuming it during the OP_INSTANCEOF operation. Consequently, OP_NEXT misinterprets the array as an iterator object, accessing the iterCmd function pointer from an invalid memory structure. This flaw could lead to a crash or, depending on the heap layout, enable arbitrary code execution.

Impact

Exploitation of this vulnerability can cause a segmentation fault, indicating a crash, or potentially allow for arbitrary code execution, depending on the heap layout.

Reproduction

The vulnerability can be reproduced by creating an array and using a for-in loop to iterate over its elements. Within the loop, an 'instanceof' operation should be performed using an array element access as the left operand. This will trigger the type confusion by leaving an array reference on the stack, which OP_NEXT will then misinterpret as an iterator, leading to a crash.