-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
Copy pathstackobject_escape.js
64 lines (47 loc) · 1.45 KB
/
stackobject_escape.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
//-------------------------------------------------------------------------------------------------------
// Copyright (C) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
//-------------------------------------------------------------------------------------------------------
var leak;
var c = 0;
function Ctor()
{
this.b = 2;
this.a = c + c;
}
function test1()
{
var a = new Ctor();
return a + a;
}
WScript.Echo(test1());
WScript.Echo(test1());
Ctor.prototype.valueOf = function() { leak = this; return 40; }
WScript.Echo(test1());
WScript.Echo(leak.a);
WScript.Echo(leak.b);
function test2()
{
var a = new Ctor();
var f = a.a;
var g = a.b;
return f + g + a.a;
}
WScript.Echo(test2());
WScript.Echo(test2());
Object.defineProperty(Ctor.prototype, "b", { get: function() { WScript.Echo("get"); return 3; }, set: function() { leak = this; WScript.Echo("set");} });
WScript.Echo(test2());
WScript.Echo(leak.a);
WScript.Echo(leak.b);
function test3()
{
var a = [ 1 ];
a[1] = 2;
return a[0] + a[1];
}
WScript.Echo(test3());
WScript.Echo(test3());
Object.defineProperty(Array.prototype, "1" , { get: function() { WScript.Echo("get"); return 4; }, set: function() { leak = this; WScript.Echo("set"); }});
WScript.Echo(test3());
WScript.Echo(leak[0]);
WScript.Echo(leak[1]);