Safari performs an out-of-bounds read when calling the bound function.
c34419dbfdc88927512ecd0928e9ba0ad20ee01eb077380d69ea9fd9a6bd1bc8
Safari suffers from a type confusion vulnerability in DateTimeFormat.format.
bcbbe721812e3c9844aa096ccd242bccd99e577311663d34b1850a138057a5ea
The built-in JavaScript in the Safari browser allows Function.caller to be used in strict mode.
1884c9b6bc5c81281bf6c6ce0bb8b15f58a86018597a7480f0520481b1474f57
Adobe Flash suffers from a heap overflow vulnerability in AVC header slicing.
fbef41a0db49fefaee13e0da46006ecb460efa8c48004beb4d978126e1febaff
Adobe Flash suffers from a heap overflow vulnerability in ATF Planar Decompression.
1f3f4804170f55e0594564e62f7f8b2127c2acfc75e1949445ca48090e930764
Adobe Flash suffers from a heap overflow vulnerability in ATF thumbnailing.
c7fb3ad920b9843a00f95e3df1c7cb4d4d12bb712ee93c03c756181ff79a6081
Adobe Flash suffers from a use-after-free in MovieClip attach init object.
288bf2654c07f8a5762dbf1c27ee8dd3db7b77c46a21c4e6c32e26490a40cf2e
Adobe Flash suffers from an out-of-bounds read in metadata parsing.
f2d169c3f1506cdaaae621fd8675063bc4928c96e812355f017f5911c322d44e
Adobe Flash suffers from an overflow vulnerability during MP4 AMF parsing.
975f33074a57e3cfc572b9cf9519a6d3855366d379e71d3cc22b0b38ac580121
Adobe Flash suffers from a stack corruption vulnerability using a fuzzed SWF file.
861f5baa072230b7939cd1b63451ce6753e5bfa28f6b0c8f8760db23344f9efd
Adobe Flash suffers from a heap overflow vulnerability during YUVPLane decoding.
2bf4e6c3b7be108e8fdfd8baf1d8546149c39e64a4f46c8b3fe36fb7fd6bca33
Adobe Flash suffers from a use-after-free vulnerability in applying bitmapfilter.
c3983405af4d8f611ecd50aa0083c83ab68a09eb670364bcd670de0a0063bf60
Microsoft Edge suffers from a use-after-free in TypedArray.sort.
11de475950a4aa66ba0d851df8cd28b3240b3556f3a57a242500360bc7b10cf1
Microsoft Edge suffers from a type confusion vulnerability in internationalization initialization.
0be320830419d4d413759485f8f9434390d748bbadbe6240c606e8d40c43b5f1
Microsoft Edge suffers from an uninitialized memory vulnerability in SIMD.toLocaleString.
643bb73906252ab5624064b3341377969b656d9e7c0942f2729b87dab962bac4
Microsoft Edge has an information leak in JSON.parse. If this function is called with a reviver, and the reviver modifies the output object to contain a native array, the Walk function assumes that this array is a Var array, and writes pointers to it. These pointers can then be read out of the array by script.
28aba0b72143b7ea7aebe7de276ebb7d83f377a03b421526aea18446883104b0
JavascriptArray::FillFromPrototypes is a method that is used by several Javascript functions available in the browser to set the native elements of an array to the values provide by its prototype. This function calls JavascriptArray::ForEachOwnMissingArrayIndexOfObject with the prototype of the object as a parameter, and if the prototype of the object is an array, it assumes that it is a Var array. While arrays are generally converted to var arrays if they are set as an object's prototype, if an object's prototype is a Proxy object, it can return a parent prototype that is a native int array. This can lead to type confusing, allowing an integer to be treated as an absolute pointer, when JavascriptArray::FillFromPrototypes is called.
101dc4b8ff4f7d1e144aeed9b089ca5fedd08e6c84b3be506d775adb205e3772
There is a heap overflow in Array.splice in Chakra. When an array is spliced, and overflow check is performed, but ArraySpeciesCreate, which can execute code and alter the array is called after this. This can allow an Array with boundaries that cause integer overflows to be spliced, leading to heap overflows in several situations.
6a5819407b1a08e3e5fb1fe3572513e26e584b6fd29bae8efb15d284321b36d2
There is an overflow when reversing arrays in Chakra. On line 5112 of JavascriptArray::EntryReverse, the length of the array is fetched and stored. It is then passed as a parameter into JavascriptArray::ReverseHelper, which then calls FillFromPrototypes, which can change the size of the array.
51efc1a7f671ca4ab3f0714c3f5a4fe110049441aaaf858fda262b78d884d718
There is an info leak in Array.filter. In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array.
b151790aef488a9024d8165bd0cf284b8a3f10045d03d24b0017ec0d7a8eab30
In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion.
d7ea56cd00bb283459fd55c24ac87e4186f692adde4a4facfd812d4b0ca61f2b
The included fuzz test case demonstrates an overflow in rastering for Adobe Flash.
637e42b945221fae8e6dae651bf8b8608a73661c378f35d81a53e8b60128cc71
Microsoft Edge suffers from a stack overflow vulnerability in the spread operator.
d00c2fc8649704c35e6a86501516a842f551c272f6170e5abd9360509a2010ee
Microsoft Edge suffers from an Array.map head overflow vulnerability.
bb7df06e67057dfbacb646945da8bb9d1d43a0e5f6bfcc39a8623d35f47993fe
Microsoft Edge suffers from a Function.apply information leakage vulnerability.
dbb17a0dd7282cd24f147dc456608a799eff5c1d1b4b3af23f6e0534a00a7768