4 matches found
JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects Exploit
The following sample was found by Fuzzilli and then slightly modified. It crashes JSC in debug builds: function main const v2 = 1337,1337; const v3 = 1337,v2,v2,0; Object.proto = v3; for let v10 = 0; v10 inheritscell-JSC::JSCell::vm, std::removepointer::type::info ../../So...
JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects
The following sample was found by Fuzzilli and then slightly modified. It crashes JSC in debug builds: function main const v2 = 1337,1337; const v3 = 1337,v2,v2,0; Object.proto = v3; for let v10 = 0; v10 inheritscell-JSC::JSCell::vm, std...
JSC Argument Object Reconstruction Type Confusion
JSC: Type confusion during bailout when reconstructing arguments objects The following sample was found by Fuzzilli and then slightly modified. It crashes JSC in debug builds: function main const v2 = 1337,1337; const v3 = 1337,v2,v2,0; Object.proto = v3; for let v10 = 0; v10...
JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects
JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects The following sample was found by Fuzzilli and then slightly modified. It crashes JSC in debug builds: function main const v2 = 1337,1337; const v3 = 1337,v2,v2,0; Object.proto = v3; for let v10 = 0; v10...