Google Chrome 73.0.3683.103 - WasmMemoryObject::Grow Use-After-Free Exploit

Google Chrome 73.0.3683.103 - WasmMemoryObject::Grow Use-After-Free Exploit memoryobject, uint32t pages ... Handle newbuffer; if oldbuffer-isshared // Adjust protections for the buffer. if !AdjustBufferPermissionsisolate, oldbuffer, newsize return -1; void backingstore = oldbuffer-backingstore; i...

Google Chrome 73.0.3683.103 - WasmMemoryObject::Grow Use-After-Free

Google Chrome 73.0.3683.103 - WasmMemoryObject::Grow Use-After-Free memoryobject, uint32t pages ... Handle newbuffer; if oldbuffer-isshared // Adjust protections for the buffer. if !AdjustBufferPermissionsisolate, oldbuffer, newsize return -1; void backingstore = oldbuffer-backingstore; if...

Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free

memoryobject, uint32t pages ... Handle newbuffer; if oldbuffer-isshared // Adjust protections for the buffer. if !AdjustBufferPermissionsisolate, oldbuffer, newsize return -1; void backingstore = oldbuffer-backingstore; if memorytracker-IsWasmSharedMemorybackingstore // This memory is shared...

Google Chrome WasmMemoryObject::Grow Use-After-Free

Chrome: Use-after-free in WasmMemoryObject::Grow VULNERABILITY DETAILS https://cs.chromium.org/chromium/src/v8/src/wasm/wasm-objects.cc?rcl=783343158eb1b147df7e6669f1d03c690c878e21&l=1253 int32t WasmMemoryObject::GrowIsolate isolate, Handle memoryobject, uint32t pages ... Handle newbuffer; if...