JSC BytecodeGenerator::emitEqualityOpImpl Data Mishandling

JSC: A bug in BytecodeGenerator::emitEqualityOpImpl Related CVE Numbers: CVE-2019-8684. PoC: let a = 1 || typeof 1 === 'string'; Generated bytecode: BPmgTo:0x7ff1965a0000-0x7ff1965a8000, NoneGlobal, 37: 11 instructions 0 wide instructions, 2 instructions with metadata; 225 bytes 188 metadata byte...

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the 'ForInContext' Object

/ This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the...

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Exploit

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the ForInContext Object / This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding...

Remote Code Execution (RCE) Via Memory Corruption

microsoft.chakracore is vulnerable to remote code execution via memory corruption vulnerability. This happens when an attacker inputs a large numeric or spread array literal to ByteCodeGenerator, leading to an out-of-bounds write. This CVE ID is different from CVE-2017-11886, CVE-2017-11889,...

WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal(CVE-2017-7061)

Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if !context.isValid break; if context.type == ForInContext::IndexedForInContextType property = staticcastcontext.index; break;...

WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (2)

function f let o = ; for let i in xx: 0 for i of 0 printoi; f;...

WebKit JSC Incorrect Optimization

WebKit: JSC: Incorrect for-in optimization 2 CVE-2017-7117 The following PoC bypasses the fix for the https://bugs.chromium.org/p/project-zero/issues/detail?id=1263 WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal PoC: function f let o = ; for let i in xx: 0 for i of 0...

WebKit JSC BytecodeGenerator::emitGetByVal Incorrect Optimization

WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal CVE-2017-7061 Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if !context.isValid break; if context.type ==...

WebKit JSC - BytecodeGenerator::emitGetByVal Incorrect Optimization (1)

WebKit JSC - BytecodeGenerator::emitGetByVal Incorrect Optimization 1 Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if !context.isValid break; if context.type ==...

Microsoft Edge Charka PreVisitCatch Missing Call Exploit

Microsoft Edge Chakra does not call SetIsCatch for all cases in PreVisitCatch. Microsoft Edge: Chakra: PreVisitCatch doesn't call SetIsCatch for all cases CVE-2017-8656 function trigger try catch x var x = 1; printx; trigger; When Chakra executes the above code, it declares two "x"s. One is only...

Microsoft Edge Chakra - PreVisitCatch Missing Call

Microsoft Edge Chakra - PreVisitCatch Missing Call root-sxFnc.pnodeVars; pnode; pnode = pnode-sxVar.pnodeNext Symbol sym = pnode-sxVar.sym; if sym != nullptr && !pnode-sxVar.isBlockScopeFncDeclVar && sym-GetIsBlockVar if sym-GetIsCatch || pnode-nop == knopVarDecl && sym-GetIsBlockVar ... sym =...