Safari Browser: Out-of-bounds read when calling bound function(CVE-2017-2447)

There is an out-of-bounds read when reading the bound arguments array of a bound function. When Function.bind is called, the arguments to the call are transferred to an Array before they are passed to JSBoundFunction::JSBoundFunction. Since it is possible that the Array prototype has had a setter...

Apple Safari - Out-of-Bounds Read when Calling Bound Function

Apple Safari - Out-of-Bounds Read when Calling Bound Function var ba; function s alert"in s"; ba = this; function g alert"in g"; return...