4 matches found
Microsoft Edge Chakra - 'JavascriptArray::ConcatArgs' Type Confusion
void JavascriptArray::ConcatArgsRecyclableObject pDestObj, TypeId remoteTypeIds, Js::Arguments& args, ScriptContext scriptContext, uint start, uint startIdxDest, BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength, bool spreadableCheckedAndTrue JSREENTRANCYLOCKjsReentLock,...
Microsoft Edge: Chakra: Type confusion in JavascriptArray::ConcatArgs(CVE-2017-8634)
Let's assume that the following method is called with "firstPromotedItemIsSpreadable = true", and "args" has two elements an array and an integer 0x1234 sequentially. In the first loop, "aItem" is an array, and "firstPromotedItemIsSpreadable" remains true because the condition for the fast path i...
Microsoft Edge Chakra - JavascriptArray::ConcatArgs Type Confusion
Microsoft Edge Chakra - JavascriptArray::ConcatArgs Type Confusion void JavascriptArray::ConcatArgsRecyclableObject pDestObj, TypeId remoteTypeIds, Js::Arguments& args, ScriptContext scriptContext, uint start, uint startIdxDest, BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength...
Microsoft Edge Chakra JavascriptArray::ConcatArgs Type Confusion Exploit
Exploit for windows platform in category dos / poc Microsoft Edge: Chakra: Type confusion in JavascriptArray::ConcatArgs CVE-2017-8634 Let's assume that the following method is called with "firstPromotedItemIsSpreadable = true", and "args" has two elements an array and an integer 0x1234...