WebKit JSC - 'AbstractValue::set' Use-After-Free

indexingType; mtype = speculationFromStructurestructure.get; mvalue = JSValue; checkConsistency; assertIsRegisteredgraph; It works out marrayModes using structure-indexingType instead of structure-indexingMode. As structure-indexingType masks out the CopyOnWrite flag, which indicates that the...

WebKit JSC AbstractValue::set Use-After-Free Exploit

WebKit: JSC: A bug in AbstractValue::set CVE-2018-4443 void AbstractValue::setGraph& graph, RegisteredStructure structure RELEASEASSERTstructure; mstructure = structure; marrayModes = asArrayModesstructure-indexingType; mtype = speculationFromStructurestructure.get; mvalue = JSValue;...