JSC BytecodeGenerator::emitEqualityOpImpl Data Mishandling

JSC: A bug in BytecodeGenerator::emitEqualityOpImpl Related CVE Numbers: CVE-2019-8684. PoC: let a = 1 || typeof 1 === 'string'; Generated bytecode: BPmgTo:0x7ff1965a0000-0x7ff1965a8000, NoneGlobal, 37: 11 instructions 0 wide instructions, 2 instructions with metadata; 225 bytes 188 metadata byte...

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Exploit

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the ForInContext Object / This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding...

WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the 'ForInContext' Object

/ This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the...

Remote Code Execution (RCE) Via Memory Corruption

microsoft.chakracore is vulnerable to remote code execution via memory corruption vulnerability. This happens when an attacker inputs a large numeric or spread array literal to ByteCodeGenerator, leading to an out-of-bounds write. This CVE ID is different from CVE-2017-11886, CVE-2017-11889,...

WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal(CVE-2017-7061)

Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if !context.isValid break; if context.type == ForInContext::IndexedForInContextType property = staticcastcontext.index; break;...

WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (2)

function f let o = ; for let i in xx: 0 for i of 0 printoi; f;...

WebKit JSC Incorrect Optimization

WebKit: JSC: Incorrect for-in optimization 2 CVE-2017-7117 The following PoC bypasses the fix for the https://bugs.chromium.org/p/project-zero/issues/detail?id=1263 WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal PoC: function f let o = ; for let i in xx: 0 for i of 0...

WebKit JSC BytecodeGenerator::emitGetByVal Incorrect Optimization

WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal CVE-2017-7061 Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if !context.isValid break; if context.type ==...

WebKit JSC - BytecodeGenerator::emitGetByVal Incorrect Optimization (1)

WebKit JSC - BytecodeGenerator::emitGetByVal Incorrect Optimization 1 Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if !context.isValid break; if context.type ==...

Microsoft Edge Charka PreVisitCatch Missing Call Exploit

Microsoft Edge Chakra does not call SetIsCatch for all cases in PreVisitCatch. Microsoft Edge: Chakra: PreVisitCatch doesn't call SetIsCatch for all cases CVE-2017-8656 function trigger try catch x var x = 1; printx; trigger; When Chakra executes the above code, it declares two "x"s. One is only...

Microsoft Edge Chakra - PreVisitCatch Missing Call

Microsoft Edge Chakra - PreVisitCatch Missing Call root-sxFnc.pnodeVars; pnode; pnode = pnode-sxVar.pnodeNext Symbol sym = pnode-sxVar.sym; if sym != nullptr && !pnode-sxVar.isBlockScopeFncDeclVar && sym-GetIsBlockVar if sym-GetIsCatch || pnode-nop == knopVarDecl && sym-GetIsBlockVar ... sym =...